Posted on

Six Rules For Online Security

It’s all a numbers game. Nothing ever will guarantee that you will never be victimized online but following a fairly simple set of rules will drastically reduce the chances that you will be a victim.

Rule One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way that could have happened anywhere and required no computer skills or knowledge. For example, some clever hacker writes an email that looks like it came from your boss and asks you to send him the payroll list with usernames and bank account deposit numbers. Or someone claiming to be your favorite niece calls from Uzbekistan asking you to send a five-hundred-dollar Amazon gift card to her at a post office box in Tashkent because she’s in a jam. Or you get a phone call from Microsoft asking for your account password.

These and similar debacles have all resulted in substantial losses to the victims. Never be rushed. Take time to think it through. Find a way to verify that the request is real. Call your boss, your niece’s mother. Check with Microsoft’s published support number. Do the sensible thing.

Almost everyone knows not to respond to fabulous offers from Nigerian princes, but online criminals are clever, and they know how to play on your emotions and fears. Even the largest and most sophisticated online attacks start with social trickery.

Rule Two

Avoid dodgy websites. You know the sites I mean. The ones that appeal to base instincts or offer something too good to be true. Military super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Some of you remember the ads for spark plugs that triple your gas mileage in the back of men’s magazines, or the ads for miraculous youth-rejuvenating serums on after hours television. Or x-ray vision glasses in comic books. In the old days, you sent in your money and got nothing in return.

Today, click on one of those kind of web sites and you are likely not just to waste your money; you can also infect your computer with nasty malware that will hurt for months to come if the infection is not detected and removed.

Rule Three

Be careful with downloads and installs. Downloading and installing an app is a lot like surgery. When you start an install, you are a patient on the operating table whose life is in the hands of a surgeon. You are completely vulnerable. If your surgeon is a crook, your goose is cooked and laid out on the platter for carving.

Most developers honestly offer useful software and services, but the simplest and most effective way to compromise your computer, laptop, tablet, or phone is to get you to install an application that appears to entertain you or perform useful work, but also opens your device to exploitation.

To protect yourself, get your installs from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. An app that has been downloaded many times with tons of good reviews is more likely to be safe.

Before you install, check the reviews and the reputation of the developer on the network. Always download from secure (HTTPS) sites. Get your drivers directly from operating system and device manufacturer sites. Third party comprehensive driver sites may be convenient, but the risks are higher.

Rule Four

Scan regularly for malware. There are many anti-malware tools available and almost all are quite effective when used properly. Computer virus is a technical classification of types of nasty stuff that can land on a computer. Malware is more general. A tool that only scans for viruses is old school and ineffective.

Anti-malware tools are very competitive, and the malware landscape changes quickly. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans. Windows Defender, which is automatically installed and activated with Windows 10 is a good choice because it is updated regularly and scans automatically. It may not be the best on a given day, but it’s probably better than a competitor without the latest updates. If you prefer not to think much about malware scans, it is a good choice.

A note about Apple devices. Contrary to the marketing stories, they too are vulnerable to hacking. Regular, updated, malware scans will help.

Rule Five

Keep your operating system and apps patched. Hackers are industrious devils, always on the prowl for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Malware scans spot and thwart attacks after they occur but stopping the invaders before they get in is better. Automatic updates may seem like a hassle, but the benefits outweigh the annoyance. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that is happening less and less as the sources get better at patching, and a botched patch is far less damaging that a successful attack.

Rule Six

Use strong passwords. Password cracking has become much more sophisticated. Long (sixteen characters or more) random passwords are still very difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the most egregious breaches in recent years have been based on duplicated passwords.

When available, use multi-factor authentication (MFA) in addition to a password. MFA is much more difficult to hack into than even the strongest password. For example, sites and devices that request a finger print or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low. The strongest multi-factor systems use an app generated token, like a 5 character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

If you follow these rules, I can’t guarantee that you will not suffer from an attack, but the chances that you will be a victim will be far less.

I’ve been brief in this post. If you need more information, I am available from 3pm-4pm the first and third Wednesdays of each month at the Ferndale Public Library, or you can read my book Personal Cybersecurity. It is available from the library, or you can buy it on Amazon here.

I gave a talk on these rules at the Whatcom County Library System North Fork Community Library on October 19, 2019. The fall colors were stunning. I’ll be giving the same talk at the Ferndale and Lynden Public Libraries in February and March. I’ll also be giving talks on online privacy at Ferndale and Lynden.

Posted on

Browser Wars and Privacy

A new round of the perennial browser wars has begun. Google Chrome is the current hands-down victor, but don’t be surprised if that changes. The new battleground is privacy. Google will have to fight hard to retain its majority market share. But will our privacy increase? I doubt it. The reason is a long story.

Current Standings

The main browser contenders are Google Chrome, Mozilla Firefox, and Apple Safari. In May 2019, the worldwide standings on all platforms were Chrome 63%, Safari 16% and Firefox 5%. To a certain extent, those numbers represent the distribution of smartphones. Google Android is the most prevalent and the default browser on Android is Chrome. Safari is the default on Apple iPhones. Firefox trails in part because it is not the default anywhere and users have to take the time and trouble to install it. On desktops and laptops in the US, Chrome still runs laps on Firefox and Safari at 64%. Microsoft Internet Explorer and Edge combined, the defaults on Windows computers, come in around 20%, Firefox and Safari trail at around 8%.

Depending on how much consumers value their privacy, these standings may change in months to come.

Last week, the Washington Post lambasted Google Chrome on privacy. Mozilla Firefox has been touting its security and privacy features regularly for the past few months and they have steadily improved their performance to keep up with Chrome.

History

The war used to be the world vs. Microsoft Internet Explorer (IE). The old battle was fought over performance, features, and standards compatibility. Microsoft in the late 90s and early 2000s was feeling safe in its control of the personal computer market; they took an indifferent stance toward emerging browser standards and chose to go their own way with IE, forcing web site developers to write different codes for IE, while following widely accepted standards for the rest. Most consumers were unaware, but it drove engineers crazy.

Eventually, Chrome, Firefox, and Safari moved ahead of IE. Microsoft, in those days, was complacent on web performance, behind the curve on web security, and fighting anti-monopoly suits. Google, Mozilla, and Apple were striving hard to improve performance, security, and adding features while conforming to standards. As a longtime competitor and partner, I can say that Microsoft engineers are second to none, but they floundered in the browser wars and eventually lost to the contenders. Chrome came off as the big winner by concentrating on performance.

Chrome is still the browser performance champion, but their lead is so small, it’s hard for most users to distinguish between the performance of any of the browsers today. I suspect Microsoft struggles because old IE special features are still required by some important customers, which puts constraints on IE that the other browsers don’t face.

The Privacy Battle

In this battle, Firefox appears to have the high ground. Most of Google’s revenue comes from selling ads that are targeted by the information it collects on the habits of the users of its free services like Google search, Gmail, and Chrome. When Chrome ups its privacy game, Google’s potential corporate revenue goes down. This places Google on a razor edge: abuse privacy and the public will quit using its services; increase privacy and ad-targeting gets fuzzy, which will cause revenues to drop.

Mozilla, as a non-profit, has no direct stake in targeting ads and therefore appears to be free to pursue privacy for its users, but it’s complicated.

Even Non-Profits Need Revenue

Mozilla’s 2017 audit states that a large share of its revenue comes from search engines, which pay Mozilla a small amount for each search directed to the search engine. Mozilla has had contracts with Google, Bing, and Yahoo at various times to default searches to these engines. Their current contract default search engine is Google. The auditors note that cancellation of these default search contracts is a substantial risk to Mozilla. Google pays Mozilla with money made from targeted advertising. Therefore, if browsing gets too private, Mozilla still stands to lose revenue. Not as directly as Google, but they are still at risk.

Google, as a public corporation, must keep their revenues up to satisfy their stockholders. Mozilla is a non-profit, but their engineers and other employees do not work for free. To continue to thrive, Mozilla must compete with public corporations for these employees with adequate facilities and wages.

Caution

What does this mean for the public? The high-tech network world is subtly connected and intertwined. TANSTAAFL. There ain’t no such thing as a free lunch. Most free services today are either loss-leaders for paid services, or they are bankrolled by selling data on the habits of the service users. Even when it appears that they are not. Until that basic fact changes, your privacy is on the market.

No matter which browser you choose, it is up to you to select privacy options that correspond to the level of privacy you want.

Posted on

Be Careful With Remote Access

Connected devices on the Internet of Things are cool. I have a friend who looks in on his cats on Whidbey Island with his phone from our house in Ferndale. I love my Bluetooth mouse and being able to start the oven preheating from my office upstairs with my phone. But I wouldn’t want a stranger to have the same access.


To be safe, you must take precautions.

Today, or very soon, most of the electric appliances and many other devices that people interact with will be connected to computer networks. At our house, my wife’s car (not my old truck), our kitchen range and its hood, the dishwasher and the microwave are all set up to connect wirelessly to a computer network (the Internet). We can expect more connected appliances to appear on the market soon. In fact, some claim that it will soon be difficult to acquire any electrical appliances that are not connected to computer networks. Why? Because remote wireless computer control has become a cheap feature for manufacturers to add these days. Unfortunately, connectivity has become less safe in the process.

What has changed

In olden times, say 2010, when a refrigerator manufacturer decided to add remote wireless computer monitoring or control to a new model, they would hire a team of electrical and software engineers to design a chip, circuitry, and control software to embed. The team would come up with a tidy little system that would do exactly what the manufacturer intended. No more, no less.

That’s not how it’s done today. Instead, they buy standard, off-the-shelf components and snap them together. One of those components is likely to be the equivalent of an entire personal computer, complete with a wireless interface and capabilities similar to a typical desktop of a couple decades ago. A complete computer is now cheaper to embed than a custom designed minimal component. Unfortunately, these embedded computers are as easy, sometimes easier, to hack as any desktop, laptop, or phone today.

In my book, Personal Cybersecurity, available at the Ferndale Public Library, I cited the case of an electric teakettle that was easily hacked into by “war drivers” cruising the neighborhood looking for open wireless networks to exploit. That was two years ago. Those kind of exploits are more plentiful and easier today.

Using a cheap little circuit board with an entire PC on board, manufacturers can build the device cheaply and figure out how to use the computing and connectivity later. They can add new features after the device has been manufactured using standard programming. This has a downside. Hacking a refrigerator used to require specialized knowledge of custom controllers and software written in assembler for processors that only a few engineers ever heard of. Now, the code is in high level languages on hardware that is taught in high schools.

For example, Amazon has published simple methods for placing a devices with embedded computers under voice control through their Alexa product. I expect projects like Alexa controlled electric whoozits are showing up at high school science fairs. If Alexa can easily be made to control something, there is a good chance that a hacker can too.

On top of that, a small manufacturer has little or no incentive or expertise to build security into their network-controlled toasters. Companies like Microsoft, Apple, Google, and Facebook have regulators, reputations, and stockholders to hold them accountable to public opinion. A rash of house fires from hacked Apple toasters would send Apple stock into a tailspin, the lights would burn all night in Cupertino, and fixes would be issued in days. You might not even realize that a fix was made. Companies like Apple work that way.

But for a small, no-brand appliance manufacturer, odds are great that nothing would happen. These companies, often located in China or southeast Asia, manufacture a batch of appliances, sell no-brand batches to secondary vendors who label the devices and sell them to the consumer. The department store that sold the hacked toasters and the company that designed and manufactured them may only be loosely and temporarily connected. The manufacturer retains no knowledge of what happened to the vulnerable devices or how to contact the final owners. The seller may be accountable but that’s little comfort after the house burns down.

What can you do to be safe?

•    Read the specifications and manuals for electrical appliances carefully. Be aware of the device’s networking capabilities, especially wireless connections. The FCC requires all radio transmitting and receiving devices to register. An FCC id number is a clue that the device can connect to a computer network, including the Internet.

•    If you don’t have a good use for remote connection of a device, turn the remote connection facility off. If you can’t turn remote access off, consider replacing the item. Chalk the expense up to lessons learned and sleep a little more soundly.

•     You may have a good use for connectivity. Surveillance cameras that you can access from your phone are an example. When properly secured, the risk of being hacked can be managed.

•    Before you buy, research. You can often find security-oriented reviews. Read the documentation on the device. If secure access to the device is not documented, don’t buy it. Find an equivalent device that is secured. Follow the security recommendations.

•    Many of these devices come with a default username like “admin” and a password like “password.” You must change these. The password is most important. Use a strong password. A long random sequence of upper- and lower-case letters, numbers, and symbols is best. The easier a password is to remember, the easier for a determined hacker to crack. Record the password safely. I use a password manager. Writing it down in a safe place is good too. If you lose the password, you may “brick” (permanently disable) the device.

•    Use caution with Bluetooth devices. Most are easy to eavesdrop on. Bluetooth can be secure, but it is often a hassle and manufacturers often skip security over convenience. I’ve written about Bluetooth security here.
Posted on

Reporting Cybercrime

This week I received the nastiest email I have ever personally received. For the sake of brevity, I will assume the spammer was male, although there was nothing in the spam that indicated the gender. He claimed to have infected my computer with malware and to have used my computer’s camera to record a compromising video of me. He threatened to send the video to my family and friends if I did not post him two thousand dollars in Bitcoin.

This was not mere spam (unsolicited commercial email). It was extortion. A felony in every state in the US. Spam is one thing, this is another.

To begin with, I knew that the video as described was impossible, the malware was unlikely, and a number of statements in the email were wrong.

First Response

My first reaction was to scan my computers for malware, just in case. I doubted that malware had been installed, but I am set up to run malware scans easily, so I did. I ran both Windows Defender and MalwareBytes scans on my two Surface tablets. Why I choose MalwareBytes and Windows Defender is a subject for another blog. I did not bother to run scans on my desktop and Linux machines—they have no video recording facilities. I let scheduled daily scans take care of them. My Android phone was not likely to have been involved in the threat, so I skipped scanning it, although I would have scanned it, if I had the slightest suspicion that it might be infected.

Basic computer hygiene

The scans, as I expected, came up clean. If malware had been detected, the urgency of the situation would have increased. Why was I so sure my machines were not infected? Because I follow basic computer hygiene rules:

  • I don’t open questionable network links in emails.
  • I don’t open email attachments unless I am certain of their origin.
  • I don’t visit dodgy click bait sites.
  • I don’t download anything until I am sure the source is legit.
  • My passwords are strong and not duplicated.

Follow those rules and you are unlikely to get malware. Scan regularly and you are even safer.

I did not feel threatened, but I was annoyed. I like technology and the computer networks, and I do everything I can to see that criminals who abuse computers are stopped.

Local law enforcement

Although I felt safe, I was not done. My next step was to call the local police. I knew calling was unlikely to get results because few local law enforcement agencies have staff trained for dealing with cybercrime. However, I have great respect for local law enforcement, in this case, the Ferndale Police Department. I checked the Police Department website for advice. They suggest calling 911 for any reason to speak with an officer. That’s not good advice everywhere. Some 911 dispatch units want only emergencies. But I called 911, saying upfront that it was not an emergency and explained what had happened. 911 was glad to take my call. We live in a nice place. A Ferndale police officer called me a short time later. He explained, as I expected, that there was little Ferndale or Whatcom County could do, but he mentioned the FBI. That was what I expected.

The FBI

I am familiar with the FBI IC3 site. The name stands for Internet Crime Complaint Center. It is a central clearing house for cybercrime reports. Most cybercrime crosses state and national boundaries. This is one reason state and local law enforcement are ineffectual against cybercrime. In my case, I had done some research and found clues pointing to Thailand as the origin for the email, although I am far from certain. Successfully detecting and prosecuting a foreign extortionist from a single email is unlikely, but these guys never make only one threat. I could tell from the email that it was a template that was sent to many potential victims. They do it over and over again, and each threat is a data point that the feds can use to triangulate on the criminal and eventually catch him and his gang.

Filling out the EC3 report took less that ten minutes.

When reporting email crime, the most important evidence is the email header. Users don’t ordinarily see full headers. Email systems are a “store and forward” relay system. The email you send does not hop from your computer to the computer of the recipient. Often, email goes through several computers (servers), each forwarding to the next until the email finds its way to a server that you connect with. Each of these hops is recorded in the email header. You can get to it from your email client like Outlook or Gmail. The exact method depends on the client, but look around for something that says, “Show Detail” or “Full Header” or “Show original”. Click there and you will get something that looks like this:

Delivered-To:xxxxx@gmail.com Received:by 2002:a67:30c2:0:0:0:0:0 with
SMTP id w185csp3264948vsw; Mon, 8 Apr 2019 00:55:42 -0700 (PDT)
X-Google-Smtp-Source: 
APXvYqzG1OlfaefurTjEEX80PMgA3k53DcELE8674Psd+hb9+Rb3Y1QsBpv2ljr
zP3M5Xwk= X-Received: by 2002:ab0:1d82:: with SMTP id 
l2mr15233348uak.120.1554710142365;    Mon, 08 Apr 2019 00:55:42 
(PDT) Authentication-Results: mx.google.com;

And a lot of other similar stuff. I copy and pasted the full header and email into the EC3 form.

The FBI investigators can use the header information to identify the origin of the email, even though the criminal usually tries to hide it. Also make sure the body of the email is included. In my case, the criminal included a Bitcoin address. Although Bitcoin transfers are vaunted to be anonymous, some arrests are made based on Bitcoin information. Flaws in software implementations don’t always favor the crooks.

What happens next?

What is likely to happen to my complaint? If mine is the only complaint against this guy, probably nothing. But if enough complaints come in, each complaint builds the profile of the criminal and eventually the pieces may fall into place and they will nab him. The US has an extradition treaty with Thailand, so the crook is not safe there.

A citizen’s duty

Most important, resources will never be allocated to crack down on cyber crime if citizens remain silent when crime occurs. That applies on every level. I wanted it on record with the Ferndale Police that had occurred in Ferndale just as much as I wanted it on record with the FBI. Ferndale is a wonderful place with friendly people everywhere, but we are still vulnerable to these sleezoids and I want the FPD to know.

As citizens, we have a duty to our community to report crime when it occurs. Law enforcement can do nothing to prevent unreported crime.

If you have more questions about cybercrime, visit “Computers & Troubles” at the Ferndale Public Library from 3pm to 4pm the first and third Wednesday of every month and talk to me about it. I’m there to help you with all your computer problems. My grandson Chris usually is there to help. (We plan to take June, July, and August off. I hope the problems do also.)