After a lovely Labor Day weekend spent grilling, eating and celebrating with friends, I received an email early Tuesday morning from a worried client who was sent a very upsetting email over the weekend. It greeted them by name and opened with a single sentence, “I know that visiting [client’s address] would be a more convenient way to reach if you don’t cooperate,” and followed with another partial sentence, “Beautiful neighborhood btw,” and included a picture of my client’s home and then a PDF attachment that supposedly included further instructions. Despite missing a word, this email was threatening and clearly menacing. It was also fake.
What this means for you
At first glance, my gut reaction was to tell my client to report this email to the local authorities and maybe look into getting out of town for a few days. As written this was a very thinly veiled threat – if someone were to receive this email in a movie or TV show, it would most certainly be a prelude to some good ole-fashioned Hollywood violence and terror. On a hunch, I opened up Google Maps Street View and punched in my client’s address. A quick flick of my wrist on the camera angle revealed the exact picture used in the email, cropped to remove the various overlays that would have otherwise significantly detracted from the implied threat. Clearly the sender (most likely just another bot powered script) was trying to pull a fast one by getting the recipient to open the PDF, which would most likely lead to a phishing prompt. “It’s fake,” I typed in a quick email to the client, and then went about my day, where, within the hour, I encountered the same type of email received by another colleague over the same weekend. The scammers have a new toy, and I’m betting it’s a money-maker for them.
Here’s my thinking on this: regardless of the contents of the email, or who it’s from, you should NEVER open an unexpected attachment (or link) unless you can confirm the contents in some other way than opening the actual attachment. It is beyond common for email accounts to get compromised and the first thing hackers do when they bag an email account is to immediately spread to that account’s contacts within minutes of gaining access. Their success counts on rapid, undetected spread and rely on the built-in trust that emails sent by a known contact inherit. Even the best email filters available are always playing catchup to the latest scam techniques like the fake extortion email from above, so there will always be ill-intentioned emails that will get through despite your mailbox being protected by “enterprise-grade” security. As always, anything built and maintained by humans will be fallible, and as the threats on the internet get increasingly dangerous, even fake extortion phishing emails can end up doing real damage. Stay vigilant and always ask for a second opinion on things like this. While it can be exhausting sometimes to be on the receiving end of the countless questions people have, every time I keep someone safe for even one more day makes it all worth it.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
I’ve been doing technology support long enough to tell you that many of the problems that people experience with computers are self-inflicted. I even have clients who truly believe they have a little black cloud hanging over them every time they sit down in front of a computer, and having witnessed their track records first-hand, I make sure to keep my tech poncho handy. It’s hard to deny empirical data that clearly indicates some folks might be better keeping their distance from expensive or important technology. Today, however, some of my tech-kryptonite clients can hold their heads high because…guess what?! In the case of a large number of computers built with Intel CPU’s the technology problems plaguing those PCs might have been the hardware and not them!
“I’ll need an old priest and a young priest.“
Unfortunately for Intel, exorcising this particular demon won’t be nearly so simple (or cinematic). The tech manufacturer most widely known for making CPUs used in just about every desktop computer, laptop and server on this planet has recently admitted that they created, manufactured and sold two entire generations of CPUs with a flaw that basically causes them to commit electrical seppuku by requesting more voltage than they can safely handle. Intel’s Raptor Lake 13th and 14th generation CPUs have been installed in PCs since late 2022 all the way through today, and no one’s quite sure how many PC’s might be affected because it’s very difficult to determine if your repeated crashing is from a fried CPU or you are just one of my “stormy” tech friends.
After strongly denying this for several weeks, Intel finally came clean and admitted to the manufacturing defect, and after some prodding from the industry, also committed to extending warranties on retail CPU’s (ie. sold in boxes for installation into computers by system integrators, hobbyists and MSP’s like yours truly) by 2 more years. And after a little more prodding from their biggest customers, extended that same 2-year grace to OEM computers as well – these would be the ones you buy from Dell, Lenovo, HP, etc. Additionally, Intel is prepping a firmware update for mid-August that will supposedly rectify this nasty bug, but sadly, the fix won’t do anything for CPUs that have already lobotomized themselves. For that, you’ll need to seek a warranty replacement. As someone who has gone through that particular process more times than should be allowed by the Geneva Conventions, make sure you get your “waiting boots” on and keep your favorite stress toy handy. The next few months are going to be a hoot. And by “hoot” I mean nothing at all resembling such a thing. Thanks, Intel.
The past few days I’ve been working with several clients who are in various stages of being compromised or having their online accounts attacked. The recent surge of activity is possibly related to the recent RockYou2024 “publication” wherein a file containing nearly 10 billion passwords was posted to a popular online hacking forum on July 4th. Analysis of the new file demonstrated that the bulk of the data is a compilation other breaches, including the previous release of this compilation, RockYou2021, which contained over 8 billion passwords at the time. Regardless of whether it’s old or new, many people will continue to use old passwords across multiple accounts for years if they aren’t forced to change them, so it’s a good bet that a large majority of the information in this file is quite usable, adding significant firepower to any hacker’s arsenal.
Passwords alone aren’t safe enough
While I was working to restore some semblance of security to my clients, one of the things I noticed was that the various bank accounts they accessed via the web or their phone did not have multi-factor security enabled, nor were my clients aware that it wasn’t actually turned on, or even available to be enabled. I was always under the impression that banks were forcing this on everyone, as it was a constant struggle for many of my clients who are accountants or financial professionals, but for at least one of my clients, all four banking accounts did not have the full multi-factor security login process enabled. On top of this, it was a struggle sometimes to actually enable the multi-factor as each bank buries the settings in their gloriously bad interfaces, and the instructions to turn it on aren’t always clear. And if someone like ME struggles with enabling this type of security, imagine what your elderly parents might be facing. Do yourself a favor: if you don’t know for a fact that you have multi-factor enabled for your banking accounts, log in and check, or call the number on the back of your credit card or debit card to find out. You might be surprised at how unsecure you were.
Image by Manuela from Pixabay
One of the most appalling practices in the current world of online hacking and phishing is the constant attacks on our elderly friends and family because the attackers know they are easy targets. Unfortunately, I don’t see technology becoming any easier for anyone, especially the elderly, so if they are going to continue using technology for things like shopping, paying bills and handling various elements of their health and property, see if you can get them to abide by some simple but critical rules when they get into unfamiliar situations. This may mean more calls to you on trivial things, but if you are like me, I’d rather that then getting the, “I’ve been hacked,” call.
Rule Number One: “Never trust popups on your devices that warn you about something scary and ask you to call a number.” None of the legitimate malware protection software on the market will do this. This is nearly always a scam. If they get something like this on their computer, tell them to take a picture of it and then just power off the device, manually if it won’t shutdown normally, and physically by unplugging the cord if that doesn’t seem to be working. These fake popups are meant to be frightening, disorienting and sometimes incredibly annoying. If the popup comes back after powering up their device (and it may, as many are designed to do just this) it may require some additional, technical expertise to get rid of it. For actual tech savvy users, it’s a quick fix, but it may be hard to explain over the phone if the recipient is flustered or otherwise frightened. If you can’t go yourself, it may require a visit from a local technician.
Rule Number Two: “Don’t “google” the contact number or email for important services.” All of the popular search services offer ad results at the top of actual search results that are often hard to distinguish from the legitimate information you were seeking. Bad actors are paying for ads that pretend to provide support for various commonplace companies. They will answer the phone as that service, including pretending to be Microsoft, Amazon, Apple, or Google in order to trick callers into giving them access to their devices. If your loved one is fond of using the phone in this manner, provide them with a printed list of known-good numbers for their most used services like their banks, pharmacies, etc, as well as including lines like “FACEBOOK: NO NUMBER TO CALL-DO NOT TRY” as a reminder that certain services are never available via phone.
Rule Number Three: “Always call someone you trust about anything on which you are uncertain.” Our loved ones often will refuse to call us because they don’t want to be a bother. Frequent calls may seem like a nuisance, but they pale in comparison to the absolute disaster you will both have to handle if they get hacked. I’d rather have dozens of calls of “Is this OK?” than the single, “I may have done something bad.” Reinforce their caution with approval, and if you have the time, perhaps explore with the caller what clued them into making the call. If it boils down to them just applying the above 3 rules, then score one for the good guys!
Image by Fernando Arcos from Pixabay
It seems rare to find feel-good information about artificial intelligence lately, so when I spot it, I like to share it, especially when it has to compete for attention with discouraging stories where AI technology is enabling the spread of hate and misinformation. After a young woman in Rhode Island lost her voice due to a brain tumor removal, a team of Doctor’s and ChatGPT-maker OpenAI were able to utilize a short voice recording to create a specialized app that allows her to speak again with an accurate recreation of her own voice.
Stop there if you want to keep feeling good.
Still reading? OK, I warned you. While I’m not going to go into details because I don’t want to give them any more publicity, there are plenty of other AI startups who aren’t focused on limiting their platforms to only medical applications where all parties involved are providing ongoing consent for the use of their voice. While I’m sure they claim their software can only be used in completely consensual situations, we’ve already seen spreading usage of deepfakes for political propaganda, extortion and reputation destruction.
Given the potential AI has, many companies may have started out with stars in their eyes for all the imagined possibilities the technology could enable, but once buyers with suitcases of money started showing up, ethics seem to be relegated to a secondary (or lower) concern, if it was ever a constraint in the first place. As always, money and politics complicate matters, and we humans are not known for approaching things cautiously, especially when being first to the prize means establishing dominance. It’s heartening to know that at least some folks are intent on developing genuinely helpful applications of AI technology, even if in the end, their efforts will most assuredly be monetized. Our hope here, like 3-D printing, is that the technology becomes so widespread that it levels the playing field for (most) everyone.
Image by bamenny from Pixabay
If there’s one thing I can state with certainty in 2024, technology is not getting easier. Just about every aspect of our lives, personal and professional, is getting automated, appified and otherwise “wired up” like we were living in a 90’s cyberpunk novel. Many aspects of those landscapes were eerily prescient (hello mega corporations), but there is one trope that you might not have considered yourself to be a part of: “hacking” your own technology to fix a problem or change an outcome. Let’s be clear, when I say “hacking” I’m referring to the more genteel, non-criminal activity of solving a technical need or problem via unconventional and/or creative methodology and materials. At a certain point, lots of people started using the term ironically (or in self-deprecation) when they managed to solve technical issues on their own, sometimes without even understanding how it was done.
Hang on, Neo. You don’t know Kung Fu yet.
Internet purists will lambast me if I don’t post the usual disclaimer, “In order to truly hack something, you need have a full understanding of how that thing works.” In the day and age of YouTube videos on just about anything and everything, it’s possible to find an endless supply of “How to hack (a thing)” and a lot of them are quite good. But many of them are not, so how do you sort out the bad from the good? Well, you can either work for 30+ years as a technology consultant, or you can at least try to get some basics under your belt, at least as far as hacking personal technology is concerned. I’m only going to outline the topics – there isn’t enough space nor attention span to spell it out in full. Not all of these areas of study are compelling – some are hella boring, but these are things that I believe everyone should know at least a minimal amount about in order to be competent, productive person.
- Know how your internet works – do you know the difference between a modem, router, firewall and access point? Wired and wireless? What’s an SSID? Do I have guest WIFI? How do I “reboot” my router? Is Bluetooth the same as WiFi? What’s bandwidth and why is it important (or not)?
- Know the parts of your computer and peripherals – is that USB-C port or a Thunderbolt port? What’s a function key? Is that a power button or a reset button? Is my printer wireless or wired? Whats the difference between “sleep” and “shutdown”? How do I change my ink cartridge? Does my phone have a sim card? Is there a warranty on my device? How would I go about getting it repaired?
- Know who provides your technology – whats the brand or manufacturer of your smartphone? Model? Who provides your email? How do I contact technical support for this bit of software? Do you know who your internet provider is, and what they are supposed to be delivering to you for your monthly internet bill? Is this software free, or do I pay for it? Do I even own this software?
- Understand where your data “lives” – is it on your computer’s internal storage? How do you navigate your device’s internal storage to find things? Is your data in the cloud? Which cloud provider? How do you get access to that data from something that is not your computer or phone? Can you? Is your data backed up? Is it encrypted? Should it be? Who owns my social media posts? Is my private information searchable on the internet?
We are well past dismissing this type of knowledge as something only “nerds and geeks” need to know. Whether we like it or not, we should start thinking about this type of technology savvy on the same level of importance as understanding how road traffic works, managing personal finances and differentiating fact from fiction. Failure to grasp the basic concepts of technology will just add more struggle on top of the regular uphill battle we face everyday.
Image by Bruno /Germany from Pixabay
Depending on how long you’ve been using computers, you may well remember a time when, “Have you tried turning off and back on,” was the first thing you heard when trying to troubleshoot any issue. In the 90’s and into the 00’s this was the go-to first step of tech support. And then we entered what some of you might call the golden age of business computing ushered in by Windows 7, somewhat tarnished by Windows 8, and then, with Windows 10, an era that even I can look back on as a bastion of stability when compared to what we have now.
What the heck happened?
Two words: Internet and Cybercrime. I know, I know, both of those things have been around for a lot longer than Windows 10 and even Windows 7, but up until maybe 2012 or 2013, technology companies like Symantec, McAfee and Microsoft had the upper hand in that war. In 2013, with the arrival of the widely successful CryptoLocker-powered attacks, criminals understood what sort of money was at stake and poured all of their resources into cybercrime infrastructure that has evolved into a never-ending escalating battle of security breaches, software updates and increasingly complicated security rituals. All the while, technology itself has permeated every facet of our lives, resulting in things that we would have considered absurd 10 years ago, such as doorbells that require a two-factor login. Everything requires a password because everything is connected to the internet, and because of the ongoing arms race in cybersecurity, everything around us is constantly being updated in this frantic race with no finish line anywhere in sight. Long story short: expect to reboot your devices frequently going forward. There was a time when I could say, “Hey, reboot your computer every other week and you will be fine.” Nowadays, that guidance is, “Reboot your computer at least every 3 days, if not daily.” Microsoft Windows is being updated weekly, as are the major office productivity apps like Office and Acrobat, and not all of their updates are well tested – resulting in more crashing and rebooting until someone notices and issues yet another update to fix the previous update. If it feels excessive, it’s because it is excessive, but for the moment, we don’t have much choice. Right now, cybercrime has the edge, and it’s running everyone ragged.
Long-time readers will notice that it is pretty rare for me to post good news to this blog. I’m sure good technology things happen every day, but we don’t get called when something is working properly, and the mainstream media usually don’t report on anything but bad news. Fortunately for us – because let’s face it, we are sorely in need of “W’s” in the fight against cybercrime – a prominent hacking group responsible for thousands of cyberattacks worldwide resulting in more than $120M in ransom payments has been dismantled by a joint law enforcement operation led by the UK and US. The action resulted in what they are calling a complete dismantling of the APT (advanced persistent threat) known as Lockbit.
What this means for you
On top of seizing control of nearly all of Lockbit’s operational assets, including 34 servers, 200 cryptocurrency accounts and arresting 2 Russian nationals, they actually converted Lockbit’s own dark website into a “reverse” leak site that touted the task force’s takedown of the APT as well as posting their own countdowns to when additional data on the Lockbit crew would be leaked to the internet, turning a commonly used cybercrime tactic back on the criminals. Before the site was “pwned” by authorities, it was used by Lockbit to publish a list of its victims and ransom countdown timers.
This was no small effort – it required coordination between 10 countries and at least three major law enforcement agencies. It will hopefully result in some of the victims being able to recover encrypted data and maybe discourage some portion of the cybercriminal element from continuing operations, but let’s be realistic – this APT was one head of a massive hydra, and the assets neutralized were a fraction of the compromised computers and accounts used as zombies or command and control servers across the globe. In the above-mentioned “Operation Cronos” action 14,000 rogue accounts were shut down. For perspective, a cybercrime botnet was discovered in 2009 that was comprised of nearly two million computers. That number has likely been dwarfed many times over by now. It’s too early to declare victory by a longshot, but as the old proverb instructs, “How do you eat an elephant? One bite at a time.”
Image by Schäferle from Pixabay
In 2019 I wrote about the arrival of deep fakes and posited that it might take an election being stolen before anyone in the country takes it seriously. Welcome to 2024 where someone engineered a robocall in New Hampshire designed to suppress the vote in that state’s January 23rd primary elections. The call featured what appears to be an artificial intelligence-generated clone of President Biden’s voice telling callers that their votes mattered more in November than in today’s primary. To put a nice ironic cherry on top, the robocallers seemed to have spoofed a phone number from a Democrat PAC that supports Biden’s efforts in New Hampshire. Here is the actual release from the NH Department of Justice website that signals the official investigation, in case you are skeptical of the above website’s veracity.
What this means for you
I imagine that regardless of which side of the political spectrum you sit on, this presents a very scary future where we cannot trust our eyes or ears or practically anything on the internet at a time when truth and objective reasoning are crucial. The technology to do the above is readily available and accessible, and it seems a small but influential number of us cannot be trusted to act responsibly with powerful technology. If you are thinking, “well, let them duke it out in their political battles over there, I don’t need to worry about AI fakes affecting me,” let me spin a “fanciful” situation for you to consider. Let’s say you have a disgruntled ex-employee who is looking to strike back at you or your company and decides to use the above tool to fake a harassing phone call from someone in company leadership to someone else in your organization. Do I even have to tell you that this service is likely already on offer in questionable corners of the internet? What can you do?
Make your voice heard in the upcoming elections by voting for leaders that represent your values (which are hopefully based on lifting people up instead of pushing them down). How do you know who that might be? Time to step up and ask directly. Don’t rely on third parties to put words in their mouths. It’s time for direct accountability, for you, me and them.
Register to vote. Get out and vote.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net