Posted on

Reporting Cybercrime

This week I received the nastiest email I have ever personally received. For the sake of brevity, I will assume the spammer was male, although there was nothing in the spam that indicated the gender. He claimed to have infected my computer with malware and to have used my computer’s camera to record a compromising video of me. He threatened to send the video to my family and friends if I did not post him two thousand dollars in Bitcoin.

This was not mere spam (unsolicited commercial email). It was extortion. A felony in every state in the US. Spam is one thing, this is another.

To begin with, I knew that the video as described was impossible, the malware was unlikely, and a number of statements in the email were wrong.

First Response

My first reaction was to scan my computers for malware, just in case. I doubted that malware had been installed, but I am set up to run malware scans easily, so I did. I ran both Windows Defender and MalwareBytes scans on my two Surface tablets. Why I choose MalwareBytes and Windows Defender is a subject for another blog. I did not bother to run scans on my desktop and Linux machines—they have no video recording facilities. I let scheduled daily scans take care of them. My Android phone was not likely to have been involved in the threat, so I skipped scanning it, although I would have scanned it, if I had the slightest suspicion that it might be infected.

Basic computer hygiene

The scans, as I expected, came up clean. If malware had been detected, the urgency of the situation would have increased. Why was I so sure my machines were not infected? Because I follow basic computer hygiene rules:

  • I don’t open questionable network links in emails.
  • I don’t open email attachments unless I am certain of their origin.
  • I don’t visit dodgy click bait sites.
  • I don’t download anything until I am sure the source is legit.
  • My passwords are strong and not duplicated.

Follow those rules and you are unlikely to get malware. Scan regularly and you are even safer.

I did not feel threatened, but I was annoyed. I like technology and the computer networks, and I do everything I can to see that criminals who abuse computers are stopped.

Local law enforcement

Although I felt safe, I was not done. My next step was to call the local police. I knew calling was unlikely to get results because few local law enforcement agencies have staff trained for dealing with cybercrime. However, I have great respect for local law enforcement, in this case, the Ferndale Police Department. I checked the Police Department website for advice. They suggest calling 911 for any reason to speak with an officer. That’s not good advice everywhere. Some 911 dispatch units want only emergencies. But I called 911, saying upfront that it was not an emergency and explained what had happened. 911 was glad to take my call. We live in a nice place. A Ferndale police officer called me a short time later. He explained, as I expected, that there was little Ferndale or Whatcom County could do, but he mentioned the FBI. That was what I expected.

The FBI

I am familiar with the FBI IC3 site. The name stands for Internet Crime Complaint Center. It is a central clearing house for cybercrime reports. Most cybercrime crosses state and national boundaries. This is one reason state and local law enforcement are ineffectual against cybercrime. In my case, I had done some research and found clues pointing to Thailand as the origin for the email, although I am far from certain. Successfully detecting and prosecuting a foreign extortionist from a single email is unlikely, but these guys never make only one threat. I could tell from the email that it was a template that was sent to many potential victims. They do it over and over again, and each threat is a data point that the feds can use to triangulate on the criminal and eventually catch him and his gang.

Filling out the EC3 report took less that ten minutes.

When reporting email crime, the most important evidence is the email header. Users don’t ordinarily see full headers. Email systems are a “store and forward” relay system. The email you send does not hop from your computer to the computer of the recipient. Often, email goes through several computers (servers), each forwarding to the next until the email finds its way to a server that you connect with. Each of these hops is recorded in the email header. You can get to it from your email client like Outlook or Gmail. The exact method depends on the client, but look around for something that says, “Show Detail” or “Full Header” or “Show original”. Click there and you will get something that looks like this:

Delivered-To:xxxxx@gmail.com Received:by 2002:a67:30c2:0:0:0:0:0 with
SMTP id w185csp3264948vsw; Mon, 8 Apr 2019 00:55:42 -0700 (PDT)
X-Google-Smtp-Source: 
APXvYqzG1OlfaefurTjEEX80PMgA3k53DcELE8674Psd+hb9+Rb3Y1QsBpv2ljr
zP3M5Xwk= X-Received: by 2002:ab0:1d82:: with SMTP id 
l2mr15233348uak.120.1554710142365;    Mon, 08 Apr 2019 00:55:42 
(PDT) Authentication-Results: mx.google.com;

And a lot of other similar stuff. I copy and pasted the full header and email into the EC3 form.

The FBI investigators can use the header information to identify the origin of the email, even though the criminal usually tries to hide it. Also make sure the body of the email is included. In my case, the criminal included a Bitcoin address. Although Bitcoin transfers are vaunted to be anonymous, some arrests are made based on Bitcoin information. Flaws in software implementations don’t always favor the crooks.

What happens next?

What is likely to happen to my complaint? If mine is the only complaint against this guy, probably nothing. But if enough complaints come in, each complaint builds the profile of the criminal and eventually the pieces may fall into place and they will nab him. The US has an extradition treaty with Thailand, so the crook is not safe there.

A citizen’s duty

Most important, resources will never be allocated to crack down on cyber crime if citizens remain silent when crime occurs. That applies on every level. I wanted it on record with the Ferndale Police that had occurred in Ferndale just as much as I wanted it on record with the FBI. Ferndale is a wonderful place with friendly people everywhere, but we are still vulnerable to these sleezoids and I want the FPD to know.

As citizens, we have a duty to our community to report crime when it occurs. Law enforcement can do nothing to prevent unreported crime.

If you have more questions about cybercrime, visit “Computers & Troubles” at the Ferndale Public Library from 3pm to 4pm the first and third Wednesday of every month and talk to me about it. I’m there to help you with all your computer problems. My grandson Chris usually is there to help. (We plan to take June, July, and August off. I hope the problems do also.)

Posted on

Phish Spotting

This morning I was greeted by a spate of phishing emails in my inbox. How did I know? Because the Gmail Team spotted them for me. Google has gotten very good at spotting phishing. I began using Gmail as my main email client yesterday. This morning, the Gmail Team lit up my eyes. I had mixed feelings about Gmail’s unfamiliar interface and online requirement, but their phish spotting performance this morning moved the approval needle a whopping notch in the positive direction. Between 8 and 9 pm yesterday, Google recognized 22 phishing attempts on one of my email accounts. That is close to a denial of service attack, but Google took it in stride.

I’ll ignore the slightly disturbing fact that the phishing started an hour or so after I put the email address into Gmail.

If you are wondering, a Denial Of Service (DOS) attack uses a flood of messages of some kind to try to overwhelm a system. In this case, the flood was phishing email. More often, a DOS attack is on a web service, like Amazon or Google itself, in which a flood of requests for service are sent to the service. The effect is either to slow the service down to the point that legitimate requesters are unable to interact with the service, either because response is so dismal, they turn away, or the service itself fails under the bombardment of requests.

The most difficult type of DOS attack occurs when the attack comes from many different sources at the same time. This is called a Distributed Denial Of Service (DDOS). Often, a DDOS comes from a “botnet,” a collection of surreptitiously invaded computers, often home computers, that are subverted to send out requests at the bidding of the “botmaster.” Often, the point of a phishing attack is to secretly turn your computer into a bot.

Even though Google and other services are effective, don’t become complacent. Automated phishing detection is good, not perfect.

I skimmed over the crop of phishes; they were not well-crafted, mostly warnings of overdue payments from vendors with whom we never deal and notices from online fax services we don’t use. They were riddled with poor grammar and unprofessional formatting. They used slight misspellings in the URLs, like jpmoryan for jpmorgan, to appear that links were to legitimate sources. I’d give you more examples, but I followed best practice and permanently deleted the bogosities. Before I thought of writing about them. Ah well.

If you discipline yourself to look at all incoming email carefully, most phishing attempts are easily weeded out. Look at any invitation to click on a link with suspicion. Check the URL by hovering over the link and looking at the text (usually at the lower left of your display) for anything that looks suspicious like a “.ru” or a misspelled name.

Email attachments, especially zip files, are often treacherous. Don’t open them unless you are very sure of the source. If you know how, start up an isolated virtual machine and open dicey attachments there. If you don’t know what the previous sentence meant, don’t open the attachment. Get competent help if you feel you must open it.

Ask yourself if the message is reasonable. A request from a vendor or service you don’t deal with, for example, is not reasonable. If you think the message might be legit, but you have doubts, pick up the telephone and call their customer service. Don’t use a phone number in the message. Get a number from an independent source, like a secure (https) website that you find using a standard search like Google or Bing. Straight forward caution and common sense takes the day.

Caution, with the help of services like Google’s, will protect you from most phishing, but may not protect you from “spear phishing.” Spear phishing is insidious and seldom automated. Spear phishers study their prey. They can get to information on your preferences and habits collected by advertising services and they can purchase stolen information from criminal sites on the dark web. Or they can look at your public Facebook page, reviews on Amazon, even the book lists that you post at your public library site, to gather details about you, then craft emails that are plausible and hard to detect. For example, a spear phish might take the guise of a letter from a friend suggesting a link about a book you put on your library shelf.

Who wouldn’t be taken in by a friendly gesture like that? Google might spot some discrepancy or a connection to their long list of dangerous sites, but the best spear phishermen strive to stay way ahead of the white hats.

Fortunately, the kind of spear phishing I just described takes far more time, effort, and skill than hackers are willing to expend on random targets. Generally, the criminals rely on sloppy automated scatter gun attacks that only work because they hope for a one in ten thousand catch. However, if you happen to be a high-profile target, like a public figure or a person of interest to a foreign government, and worth the hacker’s effort, you must be cautious indeed. I suggest looking into something like Google’s advanced security program. Benjamin Wittes has a podcast on Google security that you may find worth your time.

Posted on

Password Hygiene 2018

A year ago, I wrote a short list of rules or suggestions for choosing and managing passwords. I reread it today. The advice is still good, but the urgency has increased, if that is possible. The unfortunate fact is that the criminals have not let up. Law enforcement is still often stymied by cybercriminal assaults. Some assaults are from places where cybercrime laws are lax. When a crime is committed from out-of-state or out-of-country, an extradition is usually required, expenses that local law enforcement agencies often cannot afford. On top of all this, the criminals, both domestic and foreign, are getting better at their “art,” if you can call it that.

There is a bright side. The computing industry is taking security much more seriously in 2018 than they did ten years ago, even three years ago. The current arguments over election hacking, as disheartening as they are, have helped focus the spotlight on computer security. The industry has invested heavily in multi-factor and biometric authentication. Although I have reservations about biometric authentication, I’ve been using Windows 10 facial recognition authentication on my go-to tablet and I have found it convenient, although I still doubt that my device is well protected if I let it slip out of my hands. If I were a high-profile target with precious contents on my device, I would not rely on facial or fingerprint recognition to keep my contents safe.

The big news is the rise of multi-factor authentication, which I wrote about recently. Multi-factor authentication uses more than one kind of verification to authenticate the identity of a user. I will not equivocate: multi-factor authentication is always more secure than relying on a password alone. However, some forms of multi-factor are more secure than others. But multi-factor is always more trouble than simply entering a password or having your face scanned. If you are going to submit to the hassle, and I recommend you do submit when anything important is at stake, then why not choose the most secure alternative?

Verification via a token sent by email or a text message is substantially stronger than a password alone, but both email accounts and text messages are subject to hacking that is not that difficult. Use of an authentication application or a physical authentication key like Yubikey or Google Titan is much more difficult for hackers to circumvent. If I were a high-profile target, I would have a physical key.

Nevertheless, does multi-factor make good password hygiene obsolete? Absolutely not. An easily hacked password is an open door that makes the hacking life easier. And, unfortunately, some sites do not offer multi-factor authentication in any form, so password hygiene is still a necessity.

2018 password hygiene rules

  • Never use a password for more than one site or account. Some of the biggest security breaches in recent years were caused by password reuse.
  • To resist the temptation to reuse or to use easily crackable passwords, consider getting a password manager like LastPass to generate and manage long random passwords. Password managers are a single point of vulnerability. If your password manager is hacked, you are a slice of toast in a shower bath. However, a well-designed and maintained manager is much more secure than a badly managed set of weak passwords.
  • Longer passwords are better. The longer a password is, the harder it is to crack. A password 15 characters long is still hard to crack today. As computing hardware improves, longer passwords may be needed.
  • Mixing lower case and uppercase letters, numbers, and symbols like !@#$ make cracking harder, but not as much as increasing the length.
  • A long phrase is often strong and easy to remember, but common phrases, even common phrases obfuscated with tricks like replacing “s” with “$” or “o” (letter) with “0” (number), are relatively crackable. Skilled hackers know the tricks as well as you do. Start with a plain phrase that gets no hits on Google and go from there.
  • A long random sequence of mixed lower and upper case, numbers, and symbols is very hard to crack, but also hard to remember. A password manager mitigates this issue.

A final word

Quantum computing threatens to blow encrypted passwords away completely. In theory, a quantum computer could crack any password in milliseconds. This danger is theoretical and a few years in the future, but real. An outlying possibility is quantum encryption that thwarts quantum decryption, but I am aware of nothing real yet. However, because I recognize the quantum threat, I continue to explore biometric solutions and emphasize multi-factor.

A final final word

Avoid sites that are sloppy or predatory in design and management. These places are like dark alleys in a bad neighborhood. If you must deal with these sites, be sure that the benefits are worth the risk and watch yourself. If you can’t recognize cyber danger, stay away. If you are subject to hubris over cyber threats, find a secret hole and crawl in it. You are in danger.

Posted on

Two Factor Authentication

Two factor or multi-factor authentication makes computing more secure. You’ve probably seen it already and you will see more of it. I highly recommend it, with some caveats. I remain skeptical of biometric authentication. Facial, fingerprint, and retina recognition are all convenient, but they also have issues that are not ironed out yet. No matter how optimistic the sensor makers’ marketing, faces, prints, and retinas can’t be replaced when they are compromised, and there are reports of gruesome compromisations. Multi-factor authentication adds extra steps to authentication, but there is no question that additional factors increase security.

What is multi-factor authentication?

As the name suggests, multi-factor authentication requires the authenticity to be established in multiple ways. The user name and password authentication that has been used for decades uses a single piece of evidence to prove you are who you claim to be: knowledge of the correct password. Two-factor authentication adds another piece of evidence. The second piece of evidence could be a second password, but all passwords are vulnerable in the same ways, so it is better to use more than one kind of evidence.

Security specialists often talk about three types of evidence of authenticity: what you know, what you have, and what you are. A password is something you know that no one else does. A physical key is an object that only you have. Your fingerprints, your facial appearance, your retinal pattern, and your DNA are examples of something you are.

An example

Physical safes commonly use single factor authentication, sometimes multi-factor authentication. Most single factor safes have combination locks. To enter a single factor safe, you simply enter the correct sequence of numbers. If you write the sequence down, someone could find the paper; or someone could look over your shoulder and watch you dial the combination. Whoever finds the paper or watches you has access to the safe. Sneaking in is a challenge, but by no means impossible.

Bank vaults frequently have two combinations each known to a single bank officer. To open the vault, both officers must dial in their combination. One officer may be incautious or a fraudster, but the double combination prevents a single officer from getting in without a witness.

We have a safe in our home that requires both a combination and a key. I know the combination, but without the key, I can’t get in. If thieves were to successfully snatch the combination, they would still have to find the key. Often, even I can’t find the key, so they’ll have a job to get into our safe. In this way, our two-factor, key and combination safe is an annoyance, but more secure than a single-factor combination-only safe.

Multi-factor user authentication

Typical two-factor authentication uses a password and something else. One common method uses a text message sent to your phone containing a four to eight-character token. After correctly entering your password you must enter the token that is automatically sent to your phone when you enter the correct password. In other words, you must both know your password and have your phone to get into the account. Another variation is to email a token. In that case, you must both know your password and have access to your email account. These methods are harder for criminals to deal with than a simple password.

Flaws in message-based authentication

These methods are good, as long as access to your email account or phone is secure. However, email is just another account to secure, which would be better done with multi-factor authentication. To do that, you would have to have another secure email account. At a certain point, the complexity becomes unbearable.

Cellphone issues

The cellphone method also has problems with phone numbers and SIM cards. Phone numbers are assigned to SIM cards. Usually, when you buy a new phone, the you move your SIM card and your phone number, contacts, and other information moves with you. However, the service providers can reassign phone numbers to a new SIM, say when your phone is lost or destroyed, or you get a new phone that is not compatible with your old SIM.

The ever considerate and conciliating providers can easily transfer your phone number to a new SIM. They hesitate to hassle a customer too much when numbers are reassigned and they do not press a requesting customer for too much identification and verification, which means that criminals with a handful of information can get your phone number transferred to their own phone. To make matters worse, cell carrier employees are not guaranteed to be honest: they might be bribed or they may be criminals themselves. As a result, criminals have found it fairly easy to get phone numbers reassigned without the owner’s consent.

Once your phone number has been transferred, the criminal can use it to gain access to your accounts, change passwords, run up bills, and drain your bank.

The cellular providers have not been forthcoming on how often this happens, but anecdotal evidence says the practice is on the rise. There are a few things to do to protect yourself. If your provider offers a PIN for changes to your account, take it. Most important, when your number changes, you will get a notification on your phone and it will no longer work. Call your provider as quick as you can when you get a notice. Criminals can wreak havoc in minutes with a stolen phone number.

A stronger method

A better alternative is to use another authentication factor that does not depend on sending a token to you. This can take several forms, but they all involve a small application that runs on a device in your possession that produces tokens. When the application is set up, your authenticator and the application exchange information that syncs the application with the authenticator. One method provides tokens that change with the date and time. If you can’t supply the unique time-based token from the app that corresponds to your account, access is denied. Another implementation relies on a private key held on the device. An elegant implementation places the token generator in a USB device similar to a thumb drive. Plug the “key” in, authenticate, and the USB device supplies the correct token. These methods do not rely on communication after the initial setup. Neither WiFi or a cellular connection to the key device is necessary.

I noted with approval in this article in the Washington Post, that the federal government will soon require two-factor authentication for administrators of all government web sites. The method chosen by the feds is better than relying upon calling or messaging the phone. They are using Google Authenticator, which runs on an Android or Apple phone.

These methods are more secure, but not all multi-factor sites accept tokens from all authenticator apps, so you may not be able to use your choice on all accounts.

There’s a podcast on Lawfare explaining Google’s approach to advanced security that is informative.