Two separate reports have come in this week detailing the increasing tide of cyber attacks intending to sow politically-motivated disruption through the spread of misinformation and by targeting specific political organizations and government bodies. Microsoft was first to the gate with news that its Digital Crimes Unit (bet you didn’t know they had that!) executed a court order to disrupt new website domains that were targeting 2 well-known conservative think tanks, three that were intended to act as possible spoofs of legitimate Senate services, and one targeting Microsoft itself. In a similar vein, fellow tech titan Facebook scrubbed more than 600 accounts, pages and groups this month that were created by both Iranian and Russian actors to disseminate misinformation aimed at creating divisive influence on a wide variety of political issues both here in the US as well as Latin America, the UK and the Middle East.
What does this mean for you
In case you haven’t been picking up what I’ve been laying down for months, the most important thing for anyone to do in the face of increasing campaigns of purposeful misinformation and repeated bombardments of fake emails and impostor websites is to always have your critical thinking cap square on your head. If you are reading a news story that seems controversial, perhaps corroborate its contents by checking other sources, including ones that might not be aligned with your particular viewpoint. Received an email with an attachment that seems important, but you can’t quite remember if the sender is someone you actually worked with? It’s probably because you didn’t work with them and the attachment is a fake. Always err on the side of skepticism. The volume of information we are receiving on a daily basis is being used against us as camouflage and the only way to combat it is to be ever vigilant and never, ever skimp on security. That means check and double-check the source (news, emails, attachments, everything), and if still in doubt, call in a second opinion from someone you trust to give you another point of view. And always make sure your malware protection is intact, your passwords are unique and your data is backed up.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
Despite what you might think, the titular pachyderm of this week’s blog isn’t the GOP mascot, but that same elephant I’ve pointed out to you in the past. We, as a civilization, have put into place technologies that have significant impact on our lives seemingly without the requisite care and considerations for our own safety and security. We can now toss onto this rapidly growing pile of hubris one of the most important institutions of this century, if not the entirety of human history – the political election process via the digital voting machine. Over this past weekend at the 26th annual, infamous Defcon gathering in Las Vegas, attendees were invited to hack digital voting machines that are currently in use across the US. One machine, used in 18 states, was hacked in less than 2 minutes. In another demonstration, an 11-year-old hacked a replica of the Florida Secretary of State’s website and changed posted voting results within 10 minutes.
What this means for you
If there is one axiom you can count on to be always true, it’s that any technology built by humans will be flawed, and yet most of us still believe things that are “digital quality”, “machine-built”, “scientifically engineered” are infallible, flawless, or even perfect. Definitely better than humans are capable of, forgetting that while the particular device in your hands or conveying you across town wasn’t made by human hands, it was most certainly designed by humans. Election officials and equipment manufacturers were quick to point out that the situation presented at Defcon doesn’t represent “real-world” implementations of their technology, but the findings of Defcon should at the very minimum raise awareness that, on top of Russia actively and currently seeking to interfere with our elections, we might be our own worst enemies, blindly trusting that technology, implemented by humans, would operate flawlessly and will be impenetrable. If there is anything I know after working for nearly 30 years with technology, there is no such thing as a perfect implementation, or bullet-proof security. If you happen to vote in a state that utilizes digital voting technology, make sure you understand what you can expect in terms of receipts or paper trails. Also understand that all states utilize some form of technology to count ballots, but not all states use technology in the act of voting. In California, some districts do have actual digital voting machines that can provide a paper record of your votes which you should absolutely retain just in case.
Scareware isn’t a new trend – we’ve been seeing fake “FBI warnings” on our computer screens long enough that even the most technology naive among us knows not to pay their “online fine”, and the crime of extortion has been around as long as humanity has used currency. Unfortunately for all of us, cybercriminals have put a new twist on the scareware scam in what the media is dubbing “Sextortion”. The scam is as lurid as it sounds, basically tricking victims into believing their “not safe for work” (NSFW) online browsing habits are about to be exposed to their friends, colleagues and family unless a bitcoin amount is paid to keep the naughtiness under wraps.
The “gross” anatomy of this scam
Like others of its ilk, this is a straight-up scam, but the method used can produce a hair-raising response through the application of a diabolically clever trick: the scammer uses information found online to produce the illusion that they can “see you” and “know what you are doing” when in fact you are just the recipient of a mail-merge template. The trick is simple: they are pulling email and password pairs from any one of numerous illicit databases that are lurking in the dark corners of the internet, and then plugging that information into a template and mass spamming emails in the hopes that a small percentage actually fall for the con and pay the extortion fee. What’s different about this latest effort is the relatively sophisticated language and diction used which gives the appearance of someone who might actually be capable of the things they allege in the email. The terminology and activities described are written to target individuals who have used their device to look at porn on the web (which many people do, no surprise there), and when paired with the shock of seeing a familiar password right there on the subject line, many reflexively reach for their wallets.
A colleague also shared with me that the scammers are actually sending this same extortion note via actual mail, perhaps thinking that if their potential victim sees the threat printed in black and white on something they can hold in their hands it will have more weight. And it does, but only for the extortionist as now they’ve committed a federal felony.
Either way, don’t fall for this scam, and don’t let your friends, family and colleagues fall for it as well. Share this story, if only to ease the conscience of someone who may be secretly worried about their privacy. They should be, but not over this sorry piece of flim-flammery. For real reasons why they should be worrying about privacy, check these stories out.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Even though most of us know Amazon as the world’s largest drain on everyone’s wallet, they do quite a bit more not generally visible to their adoring public, including developing a now-controversial face recognition platform called “Rekognition” intended for use by law enforcement agencies. “Controversial” because of a recent report released by the American Civil Liberties Union (ACLU) wherein they used Rekognition to compare the photos of members of Congress against of a database of 25000 mugshots. The result: 28 Congress-critters incorrectly identified as criminals. Regardless of your opinion of their actual work in the capitol, this should raise eyebrows and hard questions from everyone, including the public servants falsely tagged in the ACLU’s “field test.”
What this means for you
Aside from a few well-known early adopters like Washington County and Orlando law enforcement, Amazon refuses to divulge which law enforcement agencies are using their technology, let alone which ones might be considering it for near or far term deployment. If you thought this technology was more science fiction than fact, consider this story which surfaced in March of Chinese law enforcement using glasses with built-in facial recognition in real-life security situations. Also consider that smart phones have been using face recognition for several years now, with countless reports of ease of spoofing the authentication method, as well as the same technology failing because of things like back-lighting (a client of mine, this weekend!), different hair styles or a 5-o’clock shadow.
Government officials, just like us regular consumers, are easily lured by shiny technology, but, just like us (because they are us), they are just as flummoxed when the technology doesn’t work as advertised. Unlike us, their ill-informed purchasing decisions can affect countless more lives, so it behooves us to urge our congress people to put technologies like Rekognition to a higher level of scrutiny and base their decisions on more than Hollywood-esque techno dreams dressed in photogenic eye wear. Will face recognition become a part of law enforcement? Without a doubt, but I’m not sure it’s ready for its close-up just yet, Mr. DeMille.
We’ve known since at least 2013 that American utility companies are under constant cyber attack, but at the time I wrote that blog four years ago, lawmakers and the industry believed that their security was sufficient to withstand the incursions. Welcome to 2018, where everything is getting hacked, including, yes, American power utilities. According to recent disclosures from the Department of Homeland Security and reported through the Wall Street Journal, highly organized hacker teams backed by Russia have compromised the security of “hundreds” of utility companies, to the point of being able to cause actual interruptions in power flow.
What this means for you
Far from the Hollywood vision of suave, athletic spies dangling from wires over laser grid alarms, the majority of the reported hacks were achieved through the most mundane of attack vectors: email phishing and watering-hole websites that trick users into typing in their credentials for what they believe are legitimate access requests. The hackers targeted smaller vendors and service companies attached to the larger utilities, taking advantage of their typically smaller cybersecurity budgets as well as their proximity to the actual target. Once they had compromised the security of the vendors that serviced the targeted utility, they were able to become wolf in sheep’s clothing, and from there easily penetrate the relaxed perimeter.
While this is a gross simplification of a highly involved and concentrated effort that spanned years of work, it should again highlight the obvious weak-point in cybersecurity: people. Unfortunately, increasing security precautions have acclimated everyone to entering passwords every time our devices pop up a dialog box asking for one. Even those of us with training are hard pressed to carefully assess every authentication request. Until technology provides us with a better way to authenticate, passwords will continue to be a glaring weakness in security. Every time your device asks for a password, take a few seconds to assess if the password request is expected and, more importantly, properly formed. The latter does take some training, but as long as you are properly paranoid, that is a huge step in the right direction. The worst that could happen from canceling out of an unexpected password prompt is a few more minutes delay in getting to whatever information you were trying to access. Unless you are in a life-or-death situation, that delay could save you from a future blackout.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It’s easy to be snide from my blogging armchair – it’s one of the many questionable things that the internet has made possible. It also enabled the existence of two of the largest companies in the world, Amazon and Google, which makes it all the more ironic, amusing and somewhat disheartening that these same companies are at the capricious mercy of the very thing on which they are founded. While Google doesn’t often suffer from outages, when they do, as they did today for about an hour, it’s hard not to notice. And when internet retail giant Amazon has severe, widespread outages the prior day during the first hour of their much vaunted “Prime Day”, it makes you wonder if there is any hope for everyone else, especially seeing as Amazon owns the world’s largest cloud computing network that is designed explicitly to stave off outages like the one they experienced.
What this means for you
Neither company has shared any technical details on the outages or their cause. Even if they did, it’s unlikely that anyone but a select, geeky few would truly understand and be able to apply any technical lessons learned. However, as most of you who have worked with technology in your business have grown innately to expect, technology will fail you at the least opportune, most damaging time possible, and the only way to counter this certainty is to plan for that failure. How would one go about reasonably planning for technology failure given how utterly pervasive and unpredictable it is? Start by evaluating what elements of your business or operations are critical – not for success – but for continued operation.
- What technology things (data, devices, platforms, services, etc.), if you did not have, would cause serious problems for your business?
- Of the items identified in #1, which of them are truly irreplaceable? eg. Customer sales data, email conversations, custom-built software. Keep in mind that some data can be recreated, but it may not be valued the same as the original.
- How long could you operate without them before their absence becomes permanently damaging?
Most everything you’ve identified in the above can probably be hardened, copied, backed-up, cloned or retired/replaced by something less vulnerable, and the most valuable things, like data, are often the easiest and least expensive to secure against disaster, but only if you actually take the step to back it up. Other things, like lack of internet, can also be worked around, but only if you have a plan and know how and when to execute it when your less-than-Prime Day arrives.
For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.
A lot of my friends and colleagues are always surprised that I don’t have more gadgets around my house, especially items like Amazon’s Alexa or Google Home, seeing as I am a long-time customer of both mega-companies and utilize many of their services on a daily basis. Those of you who have been paying attention know that I’m pretty keen on privacy, and have also seen me write on the topic time and time again, mostly because companies like the aforementioned sometimes have trouble respecting our right to privacy. It’s not that I have something to hide, it’s that I am very specific about what I want to share, and that does not include sharing private family conversations with a work acquaintance, which seems to be what happened to a Seattle couple via their Amazon Echo device.
Entre nous becomes menage a trois
What many fail to truly understand is that in order for any voice-activated device to work, it must always be listening to everyone nearby, waiting for its moment to shine. In the case of the incident mentioned above, the Echo device thought it heard its vocal trigger, “Alexa” (or something phonetically similar) woke up, heard another trigger, “Send a message,” which caused to start recording what it thought was a legitimate message, which it then dutifully sent on to the unintended recipient. The couple had no idea their conversation was recorded and were only clued in when the unintentional eavesdropper called them to warn them about the incident.
How many times has your phone (iPhone or Android) self-activated because it thought it heard its vocal cue? Mine does this about 2-3 times a month, mainly because it hears (or thinks it hears) me saying “OK” and “Google” all the time, when in fact, I’m just having a conversation with someone nearby. It’s even self-activated because of audio from a podcast or song, which is really weird and creepy sometimes. Hackers have demonstrated the ability to completely compromise late model devices, and it’s a known intelligence exploit to compromise surveillance subject phones explicitly for the purposes of turning on the microphone as the ultimate audio bug. We carry these devices everywhere, and now they are in our most private spaces. It’s just you and me, and the internet now.
What scant regulation we have as a country that protects our personal privacy is mostly built around the concept of “Personally Identifiable Information” which, according to Wikipedia is, “…information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.” If you think of PII at all (most of don’t as a rule, which is part of the problem) you may enumerate bits like date of birth, social security number, mother’s maiden name, street address, phone number, etc. While those definitely qualify as PII, there is a ton of other information that falls into this category that the average person wouldn’t necessarily consider sensitive, such as a Twitter or Instagram account name, that without context, seems harmless. Thanks to the internet and data aggregation, everything can be connected, and now that pretty much all of our information is stored digitally, more readily stolen. A recent breach of DNA-testing firm MyHeritage put us one step closer to a dystopian future where the security and privacy of our own genetics will be at risk.
What this means for you
Fortunately for its 92 million customers, their DNA information wasn’t stolen, just encrypted emails and passwords. One could ask what sort of world we are living in that this constitutes (relatively) good news, but in the face of the massive Equifax debacle with zero consequences for any of the culpable, it seems that having your account and password stolen from yet another online service provider is now counting as the new normal. As horrifying as that is to consider, consider the nightmare scenario where not only are your DNA test results available somewhere on the internet, an insurance or mortgage company has bought this info and is using it in their underwriting process to evaluate your qualifications. It doesn’t matter that the information was originally acquired illegally or without your consent, there are no laws or regulations currently on the books that govern the use of genetic data, and judging from recent legislation coming out of Congress there is currently little interest in protecting the average citizen from anything, let alone an issue over which most Congress critters have an incomplete grasp. What’s to be done? Definitely don’t stop being outraged at yet another massive data breach that will largely go unnoticed by everyone. Make sure you understand where your government representatives stands on data privacy, and if it doesn’t match your standards, demonstrate your disapproval with you voting hand.