Six Rules For Online Security

It’s all a numbers game. Nothing ever will guarantee that you will never be victimized online but following a fairly simple set of rules will drastically reduce the chances that you will be a victim.

Rule One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way that could have happened anywhere and required no computer skills or knowledge. For example, some clever hacker writes an email that looks like it came from your boss and asks you to send him the payroll list with usernames and bank account deposit numbers. Or someone claiming to be your favorite niece calls from Uzbekistan asking you to send a five-hundred-dollar Amazon gift card to her at a post office box in Tashkent because she’s in a jam. Or you get a phone call from Microsoft asking for your account password.

These and similar debacles have all resulted in substantial losses to the victims. Never be rushed. Take time to think it through. Find a way to verify that the request is real. Call your boss, your niece’s mother. Check with Microsoft’s published support number. Do the sensible thing.

Almost everyone knows not to respond to fabulous offers from Nigerian princes, but online criminals are clever, and they know how to play on your emotions and fears. Even the largest and most sophisticated online attacks start with social trickery.

Rule Two

Avoid dodgy websites. You know the sites I mean. The ones that appeal to base instincts or offer something too good to be true. Military super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Some of you remember the ads for spark plugs that triple your gas mileage in the back of men’s magazines, or the ads for miraculous youth-rejuvenating serums on after hours television. Or x-ray vision glasses in comic books. In the old days, you sent in your money and got nothing in return.

Today, click on one of those kind of web sites and you are likely not just to waste your money; you can also infect your computer with nasty malware that will hurt for months to come if the infection is not detected and removed.

Rule Three

Be careful with downloads and installs. Downloading and installing an app is a lot like surgery. When you start an install, you are a patient on the operating table whose life is in the hands of a surgeon. You are completely vulnerable. If your surgeon is a crook, your goose is cooked and laid out on the platter for carving.

Most developers honestly offer useful software and services, but the simplest and most effective way to compromise your computer, laptop, tablet, or phone is to get you to install an application that appears to entertain you or perform useful work, but also opens your device to exploitation.

To protect yourself, get your installs from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. An app that has been downloaded many times with tons of good reviews is more likely to be safe.

Before you install, check the reviews and the reputation of the developer on the network. Always download from secure (HTTPS) sites. Get your drivers directly from operating system and device manufacturer sites. Third party comprehensive driver sites may be convenient, but the risks are higher.

Rule Four

Scan regularly for malware. There are many anti-malware tools available and almost all are quite effective when used properly. Computer virus is a technical classification of types of nasty stuff that can land on a computer. Malware is more general. A tool that only scans for viruses is old school and ineffective.

Anti-malware tools are very competitive, and the malware landscape changes quickly. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans. Windows Defender, which is automatically installed and activated with Windows 10 is a good choice because it is updated regularly and scans automatically. It may not be the best on a given day, but it’s probably better than a competitor without the latest updates. If you prefer not to think much about malware scans, it is a good choice.

A note about Apple devices. Contrary to the marketing stories, they too are vulnerable to hacking. Regular, updated, malware scans will help.

Rule Five

Keep your operating system and apps patched. Hackers are industrious devils, always on the prowl for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Malware scans spot and thwart attacks after they occur but stopping the invaders before they get in is better. Automatic updates may seem like a hassle, but the benefits outweigh the annoyance. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that is happening less and less as the sources get better at patching, and a botched patch is far less damaging that a successful attack.

Rule Six

Use strong passwords. Password cracking has become much more sophisticated. Long (sixteen characters or more) random passwords are still very difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the most egregious breaches in recent years have been based on duplicated passwords.

When available, use multi-factor authentication (MFA) in addition to a password. MFA is much more difficult to hack into than even the strongest password. For example, sites and devices that request a finger print or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low. The strongest multi-factor systems use an app generated token, like a 5 character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

If you follow these rules, I can’t guarantee that you will not suffer from an attack, but the chances that you will be a victim will be far less.

I’ve been brief in this post. If you need more information, I am available from 3pm-4pm the first and third Wednesdays of each month at the Ferndale Public Library, or you can read my book Personal Cybersecurity. It is available from the library, or you can buy it on Amazon here.

I gave a talk on these rules at the Whatcom County Library System North Fork Community Library on October 19, 2019. The fall colors were stunning. I’ll be giving the same talk at the Ferndale and Lynden Public Libraries in February and March. I’ll also be giving talks on online privacy at Ferndale and Lynden.

Reporting Cybercrime

This week I received the nastiest email I have ever personally received. For the sake of brevity, I will assume the spammer was male, although there was nothing in the spam that indicated the gender. He claimed to have infected my computer with malware and to have used my computer’s camera to record a compromising video of me. He threatened to send the video to my family and friends if I did not post him two thousand dollars in Bitcoin.

This was not mere spam (unsolicited commercial email). It was extortion. A felony in every state in the US. Spam is one thing, this is another.

To begin with, I knew that the video as described was impossible, the malware was unlikely, and a number of statements in the email were wrong.

First Response

My first reaction was to scan my computers for malware, just in case. I doubted that malware had been installed, but I am set up to run malware scans easily, so I did. I ran both Windows Defender and MalwareBytes scans on my two Surface tablets. Why I choose MalwareBytes and Windows Defender is a subject for another blog. I did not bother to run scans on my desktop and Linux machines—they have no video recording facilities. I let scheduled daily scans take care of them. My Android phone was not likely to have been involved in the threat, so I skipped scanning it, although I would have scanned it, if I had the slightest suspicion that it might be infected.

Basic computer hygiene

The scans, as I expected, came up clean. If malware had been detected, the urgency of the situation would have increased. Why was I so sure my machines were not infected? Because I follow basic computer hygiene rules:

  • I don’t open questionable network links in emails.
  • I don’t open email attachments unless I am certain of their origin.
  • I don’t visit dodgy click bait sites.
  • I don’t download anything until I am sure the source is legit.
  • My passwords are strong and not duplicated.

Follow those rules and you are unlikely to get malware. Scan regularly and you are even safer.

I did not feel threatened, but I was annoyed. I like technology and the computer networks, and I do everything I can to see that criminals who abuse computers are stopped.

Local law enforcement

Although I felt safe, I was not done. My next step was to call the local police. I knew calling was unlikely to get results because few local law enforcement agencies have staff trained for dealing with cybercrime. However, I have great respect for local law enforcement, in this case, the Ferndale Police Department. I checked the Police Department website for advice. They suggest calling 911 for any reason to speak with an officer. That’s not good advice everywhere. Some 911 dispatch units want only emergencies. But I called 911, saying upfront that it was not an emergency and explained what had happened. 911 was glad to take my call. We live in a nice place. A Ferndale police officer called me a short time later. He explained, as I expected, that there was little Ferndale or Whatcom County could do, but he mentioned the FBI. That was what I expected.

The FBI

I am familiar with the FBI IC3 site. The name stands for Internet Crime Complaint Center. It is a central clearing house for cybercrime reports. Most cybercrime crosses state and national boundaries. This is one reason state and local law enforcement are ineffectual against cybercrime. In my case, I had done some research and found clues pointing to Thailand as the origin for the email, although I am far from certain. Successfully detecting and prosecuting a foreign extortionist from a single email is unlikely, but these guys never make only one threat. I could tell from the email that it was a template that was sent to many potential victims. They do it over and over again, and each threat is a data point that the feds can use to triangulate on the criminal and eventually catch him and his gang.

Filling out the EC3 report took less that ten minutes.

When reporting email crime, the most important evidence is the email header. Users don’t ordinarily see full headers. Email systems are a “store and forward” relay system. The email you send does not hop from your computer to the computer of the recipient. Often, email goes through several computers (servers), each forwarding to the next until the email finds its way to a server that you connect with. Each of these hops is recorded in the email header. You can get to it from your email client like Outlook or Gmail. The exact method depends on the client, but look around for something that says, “Show Detail” or “Full Header” or “Show original”. Click there and you will get something that looks like this:

Delivered-To:xxxxx@gmail.com Received:by 2002:a67:30c2:0:0:0:0:0 with
SMTP id w185csp3264948vsw; Mon, 8 Apr 2019 00:55:42 -0700 (PDT)
X-Google-Smtp-Source:
APXvYqzG1OlfaefurTjEEX80PMgA3k53DcELE8674Psd+hb9+Rb3Y1QsBpv2ljr
zP3M5Xwk= X-Received: by 2002:ab0:1d82:: with SMTP id
l2mr15233348uak.120.1554710142365; Mon, 08 Apr 2019 00:55:42
(PDT) Authentication-Results: mx.google.com;

And a lot of other similar stuff. I copy and pasted the full header and email into the EC3 form.

The FBI investigators can use the header information to identify the origin of the email, even though the criminal usually tries to hide it. Also make sure the body of the email is included. In my case, the criminal included a Bitcoin address. Although Bitcoin transfers are vaunted to be anonymous, some arrests are made based on Bitcoin information. Flaws in software implementations don’t always favor the crooks.

What happens next?

What is likely to happen to my complaint? If mine is the only complaint against this guy, probably nothing. But if enough complaints come in, each complaint builds the profile of the criminal and eventually the pieces may fall into place and they will nab him. The US has an extradition treaty with Thailand, so the crook is not safe there.

A citizen’s duty

Most important, resources will never be allocated to crack down on cyber crime if citizens remain silent when crime occurs. That applies on every level. I wanted it on record with the Ferndale Police that had occurred in Ferndale just as much as I wanted it on record with the FBI. Ferndale is a wonderful place with friendly people everywhere, but we are still vulnerable to these sleezoids and I want the FPD to know.

As citizens, we have a duty to our community to report crime when it occurs. Law enforcement can do nothing to prevent unreported crime.

If you have more questions about cybercrime, visit “Computers & Troubles” at the Ferndale Public Library from 3pm to 4pm the first and third Wednesday of every month and talk to me about it. I’m there to help you with all your computer problems. My grandson Chris usually is there to help. (We plan to take June, July, and August off. I hope the problems do also.)