Recently, I watched one of my favorite mini-series, Band of Brothers, which describes the (mostly) real exploits of the 101st Airborne Division during WWII. There’s a funny scene (and funny scenes were in short supply) in the film where during a training mission, one of the character’s pretended to be a general, yelling a command from behind a bush to to the officer in charge of the platoon. This particular officer, Captain Sobol, was distrusted by the men and his acting on the prank command helped undermine Sobol’s reputation with Command.
I thought about this episode, when I read the Krebs on Security post entitled Spoofing the Boss Turns Thieves a Tidy Profit. In this post, Brian Krebs describes an administrator by the name of Judy, who received an email from her boss to wire $315,000 to a supplier ASAP. Though she started the process, she was bothered by the “tone” of the email, went back and examined the message and determined that it wasn’t from her boss. It turns out that someone had created a domain name that was one character different from the company’s domain name. It looked OK, until examined more thoroughly. Fortunately, she was able to pull back the wire transfer, no harm, no foul.
In this case, the goal was a wire transfer. The more common reason is a phishing attempt. Periodically, I’m sure you’ve seen an email from a friend that says something like: “Check this out!” and gives a URL. You click on the URL contained within the bogus message and end up with malware on your computer. This is the way many of the major corporate security lapses begin, by someone acting on a bogus email message.
Vigilance and good policies can help reduce the impact of these false emails. Judy’s life would have been much easier if she’d called the sender to get verbal confirmation of the wire request. Many companies are adding verification steps to the process of issuing payment.
For the individual, always take a second look at every email that asks you to do something, particularly clicking a URL. Is the tone consistent with the sender? Is the sender’s email address correct? For an email from a “corporation” (e.g. American Express), is the URL correct? Frequently, it will look OK, but the underlying address itself is wrong … hover over the URL for the real address.
Finally, always enter URL addresses by hand. Do not activate them from the email.
Over the past few years, there have been a continuing barrage of calls from people claiming to be from Microsoft offering to “fix” the malware that they’ve detected on my and likely your computer. At my house, I’ve gone through periods where I’ve received several of these calls in a single evening. What’s unsettling is that the callers know your name and possibly other details about you, including your spouses name and home address.
Everyone who reads The Family HelpDesk missives know that these calls are fake and should ignore them, as the goal is to get onto your computer and using a variety of methods, find ways to separate you from your money. For details on this scam, see the Snopes article entitled: Microsoft Impersonation Scam.
Unfortunately, this scam has taken a dark turn. Reports are coming in that callers are now threatening people who don’t sign up for the service. I’ve heard (from a local police department) that at least one caller was threatened to be killed when she declined the service. Continue reading
Every once in a while, a warning will pop up that says something like:
The site does not have a security certificate that is trusted!
The site has an expired security certificate!
with the options to proceed to the site or back away. Many (most?) of us simply click through to the site, assuming this was caused by an administrative problem, which will not impact us. After all, we’ve been doing it forever and nothing bad has happened, right?
Unfortunately, this can be a bad decision, with ramifications that you might not understand for quite a while. Continue reading
By now you’ve likely heard about the sophisticated security breach at Anthem health insurance provider. It’s been reported that up to 80 million healthcare records, including social security numbers have been compromised.
What I didn’t realize until recently was the value to criminals of healthcare records. It turns out that healthcare records make it easier to perpetrate identity theft than other methods. What I don’t know is whether that’s because social security numbers are exposed or if there is other data that makes it easier. Regardless, healthcare records get significantly more money per record than credit card records, up to $80 per record. This makes the value of this crime up to $6B.
However, the purpose of this post is not the breach per se. Rather it’s about the phishing emails and phone calls that either the perpetrators or others are engaging in. They have sent out emails that look something like this:
They have also been actively phoning potential victims offering to “help”.
These are scams. Anthem is sending mail via the USPS to effected customers. That is the only method that Anthem is using to contact effected customers.
For more information on the breach and Anthem’s response, see their FAQ.
Periodically, I’ve collect enough varied topics for the Helpdesk that I need to clear them out. Since the groundhog has just seen his shadow in Punxsutawney, PA (the only true weather prognosticating groundhog), here’s my latest attempt to clean out the cobwebs:
Hackers steal over a billion passwords
This particular hack leverages the fact that folks use the same passwords for multiple sites and apps. The obvious, but hard to execute solution is to always use unique passwords. A 90% solution is to use a password manager. It’s a 90% solution because there are some cases where it doesn’t work as well, however for these cases you can use them to store an encrypted note with these passwords.
In October, I wrote a post entitled: Password Mangers — Worth it?
Apps to deauthenticate before decommissioning a device
Also, Lifehacker authored a really useful article on apps to deauthenticate prior to preparing the device for resale or recycling. I’ve written in the past about the steps to take prior to decommissioning a device or computer, from erasing old hard drives to preparing phones and tablets for resale or recycling.
What I haven’t written about nor really understood was how many app also need to be deauthenticated from the device or computer. Given the increased security being designed into apps and devices, you could find yourself without the rights to use the app without repurchasing the license or worse no license to your data (e.g., music, videos, etc).
How to clean your computers and devices
Continuing the Lifehacker string, they wrote an article on How to Properly Clean your Gadgets without Ruining them. This is a useful article that you might want to squirrel away for future reference.
One addition to their methods is that I keep a bottle of Monster iClean at the house, which comes with a microfibre cloth. When you need more than just a wipe down on screens, this product (or others similar to it) work very well.
How to break into your computer
For the most unsettling article that I’ve found, Lifehacker has a series of tutorials on how to break into your computer and how to shutdown the methods noted in the tutorials. Suffice it to say that having a password on the computer doesn’t prevent a knowledgeable and determined individual from being able to crack it.
The good news is that to do this, they would need access to the physical computer. The two best methods to lock your system down is to have long, difficult to brute force crack passwords and your main drive encrypted. The latter is crucial do prevent someone from mounting your drive from either another computer or a USB/CD booted OS to access the files. See my post Your technical New Years Resolutions for how to encrypt your whole drive on the Mac and Windows systems.
A couple notes on the Lifehacker tutorials:
- They were created before Truecrypt was discontinued. When the tutorials mention Truecrypt to encrypt your whole drive, use the method provided by Microsoft or Apple.
- They provide a method for brute force cracking passwords on a Windows machine. Though they don’t mention a similar method on Macs, don’t assume it can’t be done.
How to build a computer
When I was a kid, we loved to work on cars. A couple of my friends were into ham radio and built and maintained their ham components.
Computers have replaced this hands-on activity for many folks, young and old. A couple years ago I wrote about the Raspberry computer in Do you have a kid who likes to tinker with stuff? However, if you’d like to build a mainstream computer from scratch (or modify an existing one), check out Lifehacker’s How to Build a Computer, the Complete Guide.
Five things that Facebook asks for that is none of their business
Last month, Kim Komando wrote an article on these 5 things. It’s a short, but interesting read. The gist of the article is to take care about what you post to not inadvertently give away stuff that will help the bad guys.
That’s about it for this edition of Clearing out the Cobwebs. Stay safe and warm this winter.
It’s Sunday morning and I’m doing what many folks do on Sunday morning, reading the newspaper and other news sources. On CNET, I came across a remarkable milestone.
100 years ago today on January 25, 1915, the first transcontinental telephone call occurred in the US. Alexander Graham Bell asked from New York City: “Ahoy! Ahoy! Mr. Watson, are you there? Do you hear me?” and his associate Thomas Watson replied from San Francisco: “Yes, Mr. Bell, I hear you perfectly. Do you hear me well?”
The innovation that permitted this to work was the vacuum tube amplifier. Prior to the connection to San Francisco, there was a connection from New York City to Denver. To complete the wire to San Francisco, the signal needed to be amplified.
Later that day, the first commercial coast-to-coast call was made for $20 for 3 minutes or roughly $400 in today’s currency.
Though a century seems to be a very long time ago, it really is amazing the technological advances over the past 100+ years. When I was a kid, making a long distant call was a very big and very expensive proposition. Today, it’s just a call (or a text or an email).
For the past couple of months, I’ve been describing some of the experiences that I’ve had during my more than 30 years in the computer industry. I recently read the latest book by Walter Isaacson, who wrote the 2011 biography of Steve Jobs. This book is entitled: “The Innovators How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution.” The book’s basic thesis is that innovation is not really about the lone genius inventing in a garage. Rather it’s the collaboration among a variety of people with varying skill sets, dispositions and intelligence, along with the right environment that sparks innovation.
My first missive was about my early years in the business, focusing on my time with Arco and how I learned to engineer solutions. The second was about my experiences working for Sanders Associates in the defense industry. It was at Sanders that I developed my base expertise in operating system design.
This was the background for what was to become my front row seat to some of the technological advances described in Issacson’s book. More importantly, it was the most productive and enjoyable phase of my career.
In 1984, I started working for Digital Equipment Corporation (also, DEC and Digital) in a group working on DEC’s version of UNIX entitled Ultrix. In 1984, UNIX was an anathema to the company. Their flagship VAX-11 minicomputer with the VMS operating system, plus RSX-11 and TOPS-20 were mainstream and provided huge revenues to the company. When I joined, DEC had just released its first version of Ultrix, which was largely a repackaging of the Berkeley Distribution System (BSD) version 4.2 without any real additional DEC specific functionality. It was the perfect time to join the team. It was a small but passionate team that thoroughly enjoyed tilting at the mainstream windmills represented by VAX/VMS and the constellation of applications that supported and extended the VAX’s capability. Continue reading
In the late 90s, a new but virulent type of email chain was common. This was the Foiled Abduction” claim that swept through email inboxes. The message was something like this: “Be careful at <some retailer>. A man has taken a child, changed the child’s appearance in the bathroom and attempted to leave with the child.”
The popular term for this type of false assertion is urban legend, which is but one form of Internet rumor. This started a host of similar and usually very unsettling claims and rumors. Another famous one was the guy who woke up after a drinking binge in a tub of ice finding out he’s missing a kidney or other vital organ.
There are some common attributes of urban legend and other rumors:
- They seem plausible — When you read one, it really sounds true. Usually, there is some verification sentence like: “There was a news story on Timbuktu’s Channel 4 news that says …” or “The brother of my good friend had this happen to him.”
- They target a real fear — Every parent is concerned about their kids in a big-box store.
- The details are ambiguous — Once you grab someone’s attention, let them fill in the blanks
- There might be a thread of truth in the message — The best lies are ones that have some element that is true. Back to the child abduction: It’s very conceivable that someone attempted to abduct a child at a big box store at some point in time. Certainly, there have been other abductions of children in public spaces. Just not the one described.
- They almost always encourage passing the message on — Since the message can’t go viral without it being passed on in some fashion, there is usually an urgent plea (or threat) to encourage you to forward the message.
On CBS This Morning on Tuesday morning, there was a segment on how “easy” it is to fake someone’s fingerprint to gain access to a computer or device using fingerprint authentication. If you’re interested, you can find the segment here. In it, a security expert describes how he’s able to take a photograph of someone with their hands visible, crop a finger, blow the image up, print it, then create a fake fingerprint using glue. He claims to be able to use that to authenticate on an iPhone.
I know that security experts have been able to perform a similar trick with a fingerprint they captured from glass, but the twist here is that this guy claimed he was able to do it from a picture.
So, assuming it’s true, what does this mean? At this point, not a lot. Let’s see how this knowledge translates in the field. Generally, security is a cat-and-mouse game where vendors, enterprises and individuals continue to improve their security, while criminals and other “bad guys” continue to improve their penetration methods.
Biometrics, particularly fingerprints, have shown to be effective at authenticating individuals, with an extremely low error rate. They aren’t a panacea, but are certainly more effective than a 4 digit pin or weak password. It’s also a lot more convenient.
As 2014 closes, it occurs that it has been quite a year technologically for good and bad. Here are some thoughts as we move into 2015:
Malware, Breaches, Oh My!
As I predicted in last year’s New Year’s post, security and privacy has commanded center stage. The Sony attack is but one incident that has proven to be very disruptive. It goes to show that emails and other messages are not ephemeral. They lie in wait for discovery, either legal or illegal.
More importantly, the Sony breach is the clearest example yet of the tactical and strategic damage an enemy can inflict on our culture, infrastructure, government and way-of-life. Now I don’t know whether North Korea or a disgruntled ex-employee are responsible for the hack, but the impact was profound and far reaching, beyond just the employees and executives of Sony. This was a proof-case of how easy it is to disrupt us. In 2015, we will see more of this type of breach. Cyber-terrorism is a potent class of weaponry in the arsenal. Continue reading