Previously I wrote about the Elephant on the Internet, and lately it seems like we can’t stop blundering into the pachyderm that shall not be mentioned. Last week, Medium published a controversial article about a strangely mutated (but inexplicably popular) genre of kids videos on YouTube. For those of us hardened by years of work (and play) in the darkest and weirdest corners of the internet, the article wasn’t surprising, but it was definitely disturbing how bad things had become in this area. If you don’t mind wearing the mental equivalent of hip-waders, James Bridle’s article plays Rod Serling to this Twilight Zone-esque subgenre that evolved to exploit YouTube’s keyword and “Suggested Videos” algorithm. One of my “favorite” videos from this story is entitled, “BURIED ALIVE Outdoor Playground Finger Family Song Nursery Rhymes Animation Education Learning Video”. Rolls right off the tongue, eh?
What this means for you
A few years back, my wife and I made the sad (but not surprising) discovery that YouTube was not something that could be left in a child’s hands unsupervised. At the time, it had yet to grow the strange and mutated mushrooms that crowd the darker corners as described in Bridle’s article, but we encountered too many inappropriate “suggestions” from YouTube’s algorithms and came to the conclusion that (a) nobody was driving this particular bus, and (b) some people would do anything to make a buck, especially if they could do it by exploiting technology. In other words – not family friendly, and definitely not kid safe. A few years after that, Google announced YouTube Kids – a walled-garden subset of age-appropriate content that parents could trust to entertain their progeny, and we had a brief glimmer of hope that someone at Google noticed their space needed some adult supervision.
It’s no secret that children’s content is an evergreen but highly competitive industry. Prior to the internet, media companies would spend millions chasing short attention spans in the hopes of cashing in on an ephemeral merchandising craze, eg. Cabbage Patch Kids, Tickle-me Elmo and Baby Einstein videos. Now, thanks to the popularity of crowd-generated content, YouTube is a top destination for Internet “Gold Rushers” with children’s videos a particularly profitable and exploitable “vein”. The problem is not with the creators of these freaky videos – capitalism and Internet make for some strange, but predictable bedfellows. It’s that YouTube is yet another example of a system that has gotten away from its creators, and despite their attempts and promises to close yet another Pandora’s box, the sheer size and scale of the Internet continues to overwhelm and surprise the companies that laid the groundwork for its current dominance.
To sum up: it should come as no surprise that when the Internet gets ahold of something and everyone’s too busy watching the scenery to drive the bus, we can end up on the wrong side of town with no idea how to get back. Add YouTube to the crowd of monsters (Twitter, Facebook, Equifax, Wikileaks etc.) that have gotten away from their masters in service of agendas outside of their control.
Image courtesy of TAW4 at FreeDigitalPhotos.net
The technology gremlins are in beast-mode this week, and I haven’t had the time to pen a carefully thought-out blog post for you, but I did go back into our archives to dig out some treasures that I think are still relevant!
- Make Yourself Less Hackable (2012) – a few handy, still relevant tips on keeping ahead of the hackers
- Spear-Phishing Effectiveness on the Rise (2012) – Maybe not surprising, but tricking people with fake emails is still effective even now
- Stolen Laptop Equals $50k Fine (2013) – People are still walking around with laptops chock full of sensitive data
- Is your webcam spying on you? Maybe. (2013) – This is still happening, and now in higher-definition!
- Applebee’s demonstrates how NOT to do social media – Little did we know just how much influence Social Media would have.
Image courtesy of Stuart Miles at FreeDigitalPhotos.Net
It may not surprise regular readers to know that I don’t spend much time frequenting social media spaces despite working in the technology industry. Up until 2016, my primary beef with platforms like Facebook, Twitter and Instagram was a mix of privacy concerns and disdain for banal content that had to be sifted constantly for relevant information. When I participate, it’s with purpose and definitely clinical in nature. This approach seems even more justified now with recent reports of Facebook’s undue influence on last year’s elections, and it would seem that Americans aren’t the only ones getting tricked by fake news on Facebook, and in some cases, with much more dire consequences.
“But I needs my Facebook!”
Social media plays a critical role in the non-profit I support – our success in fundraising and spreading awareness comes largely through posting on Facebook. But as I have repeatedly said over many years, the Internet makes it increasingly difficult to separate fact from fiction, and it’s very clear that some folks are determined to exploit this ambiguity for anything but altruistic pursuits. The spread of fake news on Facebook is even more insidious primarily for its influence on the masses. Around the world, even more so than in the US, people have an overwhelming tendency to see the information pushed out on Facebook as “truth”, especially in nations where traditional media outlets are state-run or mistrusted, primarily because it often comes by way of a friend or relative, i.e. someone they trust. Where someone would be inclined to view a news piece from an established news agency with skepticism, that same story regurgitated by a friend or loved one would get a free pass on fact-checking.
It’s pretty clear that this is one Pandora’s box we won’t be able to close. Facebook and other internet companies are struggling to control the monsters they created – the dual-edged sword of the Internet that facilitates the spread of information greases the skids for all information with zero regard for integrity or morality. As you may have guessed, the latter two traits require humans to judge, and as even the biggest internet companies are finding out, this is like a child standing in front of a fire hose. They are getting soaked and knocked down by a seemingly unstoppable force.
There is no easy fix for this, but if every human were to do two things, we might prevail against the liars and crooks seeking to exploit our naive trust in the Internet: view social media with a healthy dose of skepticism and approach all viewpoints with an open mind. Blindly accepting every Facebook postings as truth is a one-way ticket to getting tricked.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite our hard work to keep our technology devices safe from malware, many of us underestimate a threat living right under our noses. Worse still, these threat vectors don’t even know they are potential harbingers of doom, so neither of you will see it coming until it’s too late. Yes, I’m talking about family & friends, and especially your children (if you have them). Unfortunately for everyone, malicious developers continue to hone their skills at conning our trusted friends and loved ones into compromising themselves, which will oftentimes result in everyone around them being put at significant security risk, just by nature of the trust we extend to this close circle. The most recent example of this is the discovery of 6 popular apps on the Google Play store that hide their malicious intent (to zombify your smartphone) behind the most innocuous and tempting lure, especially for kids: add-on eye candy for the popular mobile game Minecraft: Pocket Edition.
What’s a professional surrounded by loved ones to do?
Being safe doesn’t mean having to cut off everyone around you, but it may require you to pay attention to what they are doing with systems that you use or share with family and friends, such as home office computers, mobile devices, Wi-Fi networks, NetFlix passwords, etc. I’ve seen numerous parents hand their phones over to their younger children as entertainment devices, often acquiescing to insistent demands to install this app or that app without much attention being paid to what is actually being installed. I’ve even seen this dynamic played out on home office computers and not just to appease little ones. Wi-Fi passwords are simplified and widely shared for convenience, with never a thought that you are handing the keys to your network kingdom to a device you know little to nothing about. It may seem a bit Scrooge-ish or even paranoid to some of your family, but if you are serious about security consider the following:
- If you work from home and use Wi-Fi, but you want to provide internet for your kids or guests, consider setting up a “Guest” Wi-Fi network just for them. Most modern day home firewalls and access points can do this easily. Even the cheap routers provided by ISPs can do this.
- If you have sensitive data on your phone or tablet (and who doesn’t at this point), don’t let others install apps on your device, and definitely don’t let your kids play with it without close supervision.
- If you have access to sensitive data on your home office computer, keep it strictly business and specifically for you. Set up a separate device for guests, family and especially children.
- Don’t share passwords for household internet services like NetFlix unless they are unique. If you use that same password elsewhere, especially on important accounts, you are asking for a breach.
- Always treat emails or messages containing links and enthusiastic urging to “check this out” from friends and family with suspicion. Call and ask if they sent the message, and if they did, ask where they got the link from, followed by a friendly, “Oh by the way, your antivirus is up to date, right?”
Image courtesy of graur razvan ionut at FreeDigitalPhotos.net
DO NOT USE PUBLIC WIFI WHEN WORKING WITH SENSITIVE DATA
Websites and applications that communicate via HTTPS and the use of a VPN will protect you from snooping, but won’t prevent someone from actually piggy-backing onto your data connection and sniffing all the unencrypted traffic, which can include many mobile apps and regular websites that don’t use HTTPS. For much better security, wired networks are still superior and are completely unaffected by this particular flaw.
- This exploit has not yet been seen in the wild, and it does rely on someone being physically close enough to you to start the attack.
- In any instance when either the provider or receiver are patched to fix this loophole, this exploit will not work.
- Android 6.0 devices and newer, which are just about all current and previous generation phones and tablets.
- Any routers or firewalls with built-in WiFi
- Just about all consumer-grade WiFi access points
- Unpatched computers with WiFi capabilities
- Home automation devices that rely on WiFi for control (Nest thermostats, Ring doorbells, etc.)
- WiFi connected cameras
It may be days or even weeks before this vulnerability is patched on mobile devices, and in the case of some older phones and tablets, this vulnerability may never be patched if the manufacturer has abandoned support for that particular model. Windows 10, 8 and 7 have already been patched. Apple has a patch in beta right now for most of its late model devices and OS X, and most variants of Linux are already distributing patches for this hole. Firmware updates for higher-end, late-model routers and access points are likely to happen, but it will vary greatly by manufacturer and age of device, and it’s still too soon to tell when or if automation and security devices will be patched.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
I spend so much time looking at search results that I’ve learned how to effectively ignore the advertising surrounding them, but two recent client incidents have again reminded me that not everyone is savvy to the way that Google and several other search engines present their search results, and more importantly, how advertisements are displayed on the very same page, above the actual search results giving them visual priority over actual, legitimate links. Depending on how harried or distracted you are at the moment, you might not notice that the first few items presented on the results page are actually ads, and this is where things can get nasty. One of my clients was having trouble with Quickbooks and typed this search into Google, “Quickbooks Payroll support”. Below is the actual page that comes up in Google with names and numbers blurred to protect us from being sued by the illegitimate advertiser (click for a larger view):
What’s going on here?
The first two links provided are advertisements, as indicated by the small “ad” icon on the second line of each entry. Easy to miss, especially if you are looking for a phone number (which my client was). Right next to the “ad” icon is the actual domain and URL of the entry. For the entry marked as “1” on my screenshot, the domain was for a company definitely NOT Intuit (the developers of Quickbooks), which would also provide a hint that this “search result” might not be what you think it is. The third entry marked as “2” in my screenshot is the actual link to Intuit’s support website, and (after several clicks) eventually will lead to a real phone number to call for support from Intuit.
My client called that first number at the top of the page and walked right into a classic scareware scam. The “technician” on the other end claimed to be Quickbooks support and promised to help my client with their issue, but they had to resolve numerous “errors” prior to doing so, and they would only perform this work if my client renewed their Intuit “support subscription”. The “tech” showed my client an “log” full of errors and then quoted them an outrageous price for a one-time “cleanup”. Smelling a rat, my client hung up on the scammer and called me. After a quick recounting, I was able to ascertain that they fell down this rabbit hole because the top link on the search results page isn’t Intuit, but an ad designed to trick the unwary into a costly mistake. Once I pointed out the tell-tale signs, my client soberly asked how many other people fall for this trick. Unfortunately, quite a few people get fooled by this scam, and it’s important to point out that buying an ad with that sort of ranking isn’t cheap, so clearly this tactic is paying off.
How do I avoid getting tricked?
Never forget that Google runs ads right next to its search results. Look for the visual clues that differentiate ads from actual search results – legitimate providers always identifies their ads, but their means for doing so isn’t always obvious. Type the URL manually in a new browser window instead of clicking the link. There are numerous examples of domains deliberately registered and used that look like the website they are spoofing, including using unicode characters to produce character strings that look like actual domains but are in fact cleverly-designed counterfeit sites that will lead to further technology ruin. Always be suspicious if a vendor you are calling asks for payment information up front, and even more so if they immediately open with a screensharing invite. Another great way to tell if they are trying to con you is to offer to conference in your IT consultant (me, for example). Legitimate support providers will always agree to this, but scammers immediately make excuses or will try to discourage you from getting a second opinion as your IT person is “probably not qualified” or not good at their job (“otherwise how would so many errors/viruses/problems be on your computer?”) Another client of mine had someone she had called for printer repair ask for a screenshare session and credit card payment to resolve the issue, when all she wanted was help to remove some jammed paper in her printer. She too had been fooled by an advertisement masquerading as a support website for her printer’s manufacturer.
Stay vigilant, and always be careful when calling numbers you find in search results. At minimum, follow the link by manually typing in the listed URL to make sure it leads to your manufacturer’s website, and verify that it’s the legitimate site with a little exploring. Most counterfeit sites aren’t much deeper than a page or two before they try to lure you into giving up your data, so be wary of sites that seem small, broken or unfinished. The top search engines and many antivirus platforms (including Webroot used by C2) also keep track of counterfeit websites and will warn you if something seems suspicious. Keeping your eyes wide open and your brain on the defensive will help you avoid getting goosed by fake ads.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Yahoo has just announced that instead of one billion accounts being compromised in the 2013 security breach, all of its approximately three billion accounts were compromised in some form. In case you’ve lost track, the 2013 breach is different from the 2014 breach, in which “only” 500 million accounts were compromised. The press release from Verizon/Oath is predictably vague, stating that information stolen did not include passwords in the clear, banking information or payment card details, but did not detail what was stolen/exposed in the breach. The statement “passwords in the clear” could be taken to imply that encrypted passwords were stolen, and who knows whether they were stored securely, as since then, several weakness in previously-used encryption methods have since come to light. Seeing as this was 4 years ago, it’s highly likely that any encrypted information stolen has already been cracked.
What this means for you:
If you haven’t stopped using Yahoo as an email provider, it’s time to kick that email address to the curb, especially if you are using it for business. Yahoo has repeatedly demonstrated it’s not deserving of your trust or your data, so its time to stop using them. Period. Your second takeaway should be this: stop using the same password for everything, and definitely don’t resurrect old passwords thinking that there is no way someone could come across that password. I will guarantee you that despite the gigantic amount of leaked identity information out there, it has been amassed and cross indexed. If you used a password on Yahoo, LinkedIn, Adobe, or any of the numerous other breaches that have occurred in the past 5 years, that password is in a database next to your email address, and it will be used against you, guaranteed, if it hasn’t already.
Looking for a way to create memorable, but unique passwords? Try this site. My favorite setting is:
- Two words
- 4-8 characters each
- Alternating case lowerUPPER
- Surrounded by 2-digit numbers
If you are looking for a way to organize and use the many unique passwords you are creating, try one of these services:
In the days following the Equifax breach announcement I have been talking with many people – clients, family & friends – about what they should be doing to ensure they are prepared for a possibility of their identity being stolen. Across all these conversations one theme became readily apparent: none of the dozens of people I spoke with (myself included) knew much about how the credit agencies operated, despite being highly educated and seemingly well-versed in being both an adult and a working professional. Some of them even work in the finance industry and still had only a rudimentary grasp of the seriousness of the Equifax breach. During one particular conversation, I thoroughly dismayed a colleague by making them aware that with the information stolen in this breach, someone could file a false tax return under their name and that it would take the wronged party quite a bit of effort to undo this fraudulent act. Further alarm was caused by the revelation that this was done through the IRS’s own website, and that this form of identity theft has been around for years.
How many systems do we use that we have no idea how they operate or how to fix them if they break?
To further illustrate this point, key companies and institutions are being hacked, not just because hackers are clever and determined (they are), but also that we, the system users, often don’t understand how things work, and frequently don’t take the time to understand because: (a) it’s hard, and (b) it’s working, so why bother? When this happens, security takes a powder and criminals walk in the door. Case in point: big four firm Deloitte recently announced that it was breached earlier this year. Ironic? Yes, but even more so now that it seems the reason they were breached was because they themselves were lax on security principles presumably espoused by an organization hired to audit security.
Need another example of a big system in wide use but poorly understood, and clearly not secure? Facebook is poised to release data to Congress that illustrates how Russian operators leveraged Facebook’s own advertising engine to exploit the political divisiveness of American culture as well as the ample influence it exerts over the millions of US voters who have been repeatedly bamboozled by fake news and thinly veiled propaganda. Facebook itself has stated numerous times it doesn’t have a good solution to the problem, and even with the integrity of the US democracy at stake, it still doesn’t know the extent of Russian influence in its own advertising space.
What’s my point? There’s an elephant in the room, and in this case, on the internet. We are at the mercy of numerous systems that we have no chance of understanding, and yet we entrust our lives to them. To be fair, we have been doing this for decades: we drive cars we can’t repair, we fly in planes we have no chance of piloting, and we use devices very, very few of us could fix, even with the totality of Google at our fingertips. In advanced civilizations, this is expected and required for us to progress. What we cannot, and must not do is abrogate our responsibility to be at once skeptical and open minded about the things we don’t understand. Even if we can’t comprehend how a system works, we should seek to understand how that system impacts the things that are important to us, and take an active role in ensuring that system won’t harm you or the things you care about. If it seems like too many systems have gone off the rails because not enough people cared or understood them to foresee the danger, it might be because some people are actually starting to talk about the elephant on the internet.
Image courtesy of TAW4 at FreeDigitalPhotos.net
In case you thought the Equifax breach might be easing itself out of the limelight, news has arrived that is just pouring more fuel onto this raging dumpster fire. Reports are surfacing that the credit agency was breached earlier this year in March, possibly by the same hackers, which now puts extra spice on speculation that company executives who sold stock in the intervening months may have taken advantage of the insider knowledge. The beleaguered company also announced the “retirement” of its Chief Information Officer and Chief Security Officer (editorializing quotes are mine), presumably as sacrificial lambs, which also adds weight to the claim that perhaps security wasn’t being handled as well as it should.
While the lawsuits are piling up at the Equifax doorstep, Congress is also turning its admittedly distracted gaze on the circus, with the news that Republicans are floating two bills that would further deregulate companies like Equifax, gut the agencies that protect consumers from exploitation, and reduce damage awards from lawsuits. Democrats, for their part, have proposed legislation that will hopefully force Equifax (and presumably their competitors) to stop charging for freezing and unfreezing your credit history.
None of this is stopping any of the credit agencies from attempting to continue to profit from the breach, including Equifax itself. Popular credit monitoring service Life Lock has grudgingly admitted that it actually protects its customers partly through services purchased from Equifax as part of a 4-year contract it entered into with Equifax in 2016. Life Lock competitor LegalShield purchases its services from Experian. Essentially, these companies are paid to protect you from the results of data breaches of the companies whose services they use to provide that protection. This is hiring the wolf to herd the sheep.
On top of all this nonsense, the credit companies themselves continue to suffer from significantly degraded customer service – long hold times, dropped calls, misleading information – as millions of consumers attempt to freeze their credit. Notably, several clients have reported back to me and I myself experienced attempts to direct us away from freezing our credit towards “free” locking and monitoring services, both on the phone and via vague, misleading web pages. Rather than just taking our money for the freeze, the agencies still seem hell bent on the opposite. I wonder what they know that we don’t.
Don’t be deterred. Don’t give up. My advice to you is still for you to seek a full freeze on all three credit histories. Don’t let them sweet talk you or frustrate you into any other alternative. You can always go back and sign up for their “free” monitoring services after you get the freeze in place.
I’m pretty sure even if you were hiding under a rock in some remote corner of America you probably heard that credit reporting company Equifax was breached and confidential information on nearly 150 million Americans was stolen. Rather than handling it like an industry leader, they seemed to have stumbled around like a tyro startup experiencing their first breach. Much criticism has been leveled at the company for its apparently hamfisted opportunism by first leading consumers to a site that is supposed to show whether your info was exposed in the breach (news flash: most likely it was), and then after confirming the bad news (a result that appears initially to have been random, though possibly corrected now), dropping you into the signup page for their free credit-monitoring service. Initially the legalese surrounding this process suggested that by signing up for their free service you would be waiving your right to sue Equifax, but after a heated backlash from the internet, Equifax clarified their language to exclude the breach incident from this indemnification:
Unfortunately, they still seem to be bumbling their way through this, with continuing reports of false positive results from their website, compulsory signups for the credit monitoring service, as well as a stony silence on why they took over a month to report the breach, why 3 executives sold off stock before the announcement, or why we should trust them to monitor our credit when they were the ones that lost our data in the first place.
What should I do now?
Cybercriminals have had your information for at least a month if not longer (from prior breaches), and with the amount of information now exposed (SSN, DOB, addresses, credit history) and capabilities of well-funded (and now well-armed) cybercrime organizations, the likelihood of your identity getting stolen is growing, but you still have to “win” the equivalent of an anti-lottery among 140M people. Because of the amount of publicity the Equifax breach is receiving and the gravity of the matter, there is a lot of information out there both good and misleading, and the seeming urgency of the situation leads to snap judgments and possibly poor choices. Overall, the current consensus on what to do next is to put a freeze on your account at the three major credit reporting companies: Equifax, Xperian and TransUnion. This action is often poorly understood or explained, but Brian Krebs does a great job explaining what it is why you should do it.
If you can’t get to their respective websites to initiate a credit freeze, here are the numbers you can call to initiate a credit freeze:
- TransUnion: 1-888-909-8872
- Equifax: 1-800-349-9960
- Experian: 1 888 397 3742
Get a copy of your current credit report, if only for historical documentation and spotting new, unauthorized items that might appear later: Government-mandated Credit Reporting Website. In case you were wondering if this was legitimate, here are the sources:
If your identity gets stolen, or you suspect that a theft is in process, this page provides easy to understand steps on what to do next.
If you are civic-minded and believe that “something should be done about this mess”, you can use this page to send a message to your congress-critter.
As always, stay vigilant, even paranoid, in these less secure times. Be on the lookout for scams exploiting the FUD created by this breach, and NEVER give out your personal information to anyone who calls you directly unless (a) you contacted them first, and (b) you verify they are who they say they and they are legitimate. There is never a better time to rely on the experts in the business, but you should work with people you trust. Don’t have a trusted lawyer, financial adviser or IT professional? Ask someone who you trust if they know someone, and then ask another person you trust for someone else. Don’t be afraid to ask for references, and in the case of licensed or certified professionals, it’s never rude to ask for credentials, especially if you can’t meet them in person. As you know, “On the internet, nobody knows that you’re a fake.”
Much thanks to this post on Reddit (Warning: very useful info interspersed with salty language)
Image courtesy of Miles Stuart on FreeDigitalPhotos.net