If you didn’t get your fill of scares this past Halloween, sit down and read this article about password security from Matt Honan, the Wired Magazine writer who’s digital life was destroyed this past summer in minutes by teenage hackers. If you only read one article this year, you should read this one, but in case you don’t (or can’t or won’t), I’ll try to sum up the most important parts of the article:
- We are sacrificing privacy and security for convenience.
- Passwords (even long, hard to guess ones) are no longer viable.
- The technology industry hasn’t been able to come up with a better solution to this problem.
What this means for you:
Again, if there is one article you should read this year, especially as you gear up to get your online shopping done this upcoming Black Friday, it’s this one! You’ve heard me give you all the precautions and practices you should be following to better secure your online information, but Matt explains in easy-to-understand, non-technical terms why folks like me are growing increasingly concerned – and in some cases frightened. We, as a civilization, have hit a critical point in our history, and if we don’t make some careful choices and some necessary changes to how we use computers, we are heading down a road of security ruin that could impact anyone that uses technology as a critical part of their lives.
Until better solutions to the password problem arrive, there are some things you can do:
- Don’t use the same login and password for multiple sites.
- If it’s available, use 2-factor authentication to secure accounts, especially email.
- Don’t use easy to guess passwords. Use really hard ones for your most important accounts.
- Use a separate, hard-to-guess email account for password resets that is separate from your main email account. Gmail is great for this, as it offers two-factor authentication.
- For password hint questions, eg. “What is your mother’s maiden name?” use incorrect answers that aren’t easily found on the web, and only you would know.
Read the article for even more tips on how to make yourself harder to hack.
Apparently, even the (former) head of the CIA can fall victim to a security breach. General David Petraeus recently handed in his resignation as the leader of the US’s Central Intelligence Agency when his extra-marital affair surfaced through an investigation led by the CIA’s own sister agency, the Federal Bureau of Investigation. What’s interesting is that the FBI didn’t use exotic technology or Hollywood-esque espionage to gain access to Petraeus’ “anonymous” email account – in the end, it boiled down to a simple, lawful, court-order through the Electronic Communications Privacy Act. Once the FBI had covert access, they were easily able to track the account usage and trace it to the General himself.
What this means for you:
What undid Petraeus – aside from lack of integrity and fidelity – wasn’t his extremely clever usage of Gmail. Once again, the subterfuge was ruined by a person – in this case, by his own mistress, Paula Broadwell, who sent threatening emails to Petraeus family friend, Jill Kelley who then got the FBI on the case. In the course of any criminal investigation, the ECPA grants the government authority to access any electronic communication without a warrant if it’s under 180 days old, and if it’s older than 180 days, then all that is needed is a court order. Even if you think you’ve set up an anonymous email account, all email travels through the internet by virtue of metadata attached to the digital envelope that is impossible to hide. Think of it as a digital postmark. And because all data must come from somewhere and go somewhere, IP addresses (and logs) make it possible to pinpoint those locations with ruthless precision. The next time you send an email that you need to be completely confidential, think carefully about the implications of it appearing on the front page of every news website in the world. Obviously, the government doesn’t have the time (or the justification) to watch everyone in America, but they certainly have the means, and will to use it, even if it undermines one of their own sacred cows.
Image courtesy of renjith krishnan / FreeDigitalPhotos.net
Now that the public’s overall awareness of phishing is much greater, getting people to click phony links in an email isn’t as easy as it used to be. However, phishers, now motivated (and possibly funded) by organized criminal elements, are investing more time in actually fooling people, producing very authentic-looking emails intended for audiences with accounts worth compromising, such as the ones that control payroll or bank accounts for small companies. A recent phishing campaign dissected by Webroot details a focused targeting of Intuit’s popular Quickbooks platform. Using a combination of scare tactics, actual Intuit branding and realistic-sounding text, actual Quickbooks users may be lulled into a false sense of security and click through to malware-laden sites which quickly compromise their computers.
What this means for you:
Whenever you receive a request from a known service provider via email, always, ALWAYS! check the integrity of the links they ask you to click, especially if the communication wasn’t expected. How do you check the links in an email? Read my previous post “Ransomware Virus Targets Skype Users” for details on how to check if the links are valid. Even if the email seems to be legitimate, skip clicking the links altogether and go straight the the website in question by typing in the URL yourself, or pick up the phone to call the company. Your computer and financial security are worth a few more minutes and keystrokes!
Security analysts are uncovering a troubling rise in sophistication and cunning in targeted phishing attempts – also known as “spear phishing” – where attackers are actually adapting their tactics to exploit weaknesses revealed in common business worker behavior. Most obvious and easy to exploit is the fact that many businesses “shut down” on Fridays, and most workers, including corporate IT, disengage from the job and stop reading emails. Attackers savvy to this behavior trend send out the usual phishing emails with URL’s that are actually clean at the time of delivery, allowing them to arrive in user inboxes unmolested by corporate malware detection platforms. The attacker bides his time and waits to compromise the websites that were linked in the phishing emails until the last moment, say early Monday morning, hopefully just before users start to read the email that arrived over the weekend. Because the email managed to make it past corporate filters, the user wrongly assumes it’s safe, clicks the URL and his or her computer is then compromised through the usual malware attacks.
What this means for you:
Phishing emails are becoming increasingly harder to distinguish from the real thing, and it takes a trained eye to spot the best fakes. The most common phishing tactics are to email you about the following:
- Your account has been accessed by a third party
- (Bank Name) Internet Banking Customer Service Message
- Security Measures
- Verify your activity
- Account security Notification
When you receive an email like the above, and it appears to have come from a company or institution with which you work, examine the source of the email carefully to make sure the links actually go where they say they go. (See our previous news item Ransomware Targets Skype Users for more tips on how to tell if an email is legitimate or not.) If there’s any doubt at all, don’t use the links provided, but type them in or use a bookmark you created to ensure you are going to the proper website, or call a known, publicly-available phone number for the company to verify the request with a real human.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net
A new variant of the Dorkbot Worm that plagued Facebook users in late 2011 has resurfaced via emails sent to Skype users with the message reading “Lol is this your new profile pic?” The email also has a zipped attachment that contains an executable titled “skype_[today’s date]_image.exe” hoping to fool careless Skype users into thinking that the attached file is an update to their Skype software, or more foolishly somehow the above referenced profile picture. Instead, it “zombifies” the computer and, in a new twist, also installs a “Ransom-ware” form of malware which encrypts the user’s data and threatens to delete it unless a payment of $200 is made within 24-48 hours.
What this means for you:
Even if you are running the most recent and most powerful anti-virus and anti-malware software on your machine, it’s still possible for your computer to become compromised merely because you “opened the door” by purposefully running the unindentified executable. There is nothing that can prevent your computer being compromised in these types of situations except constant vigilance. Here’s what you should be watching for:
- Do you even know the sender? Do they normally email you out of the blue with an attachment? Obviously, attachments from strangers is a huge red flag!
- Is the email you’ve received characteristic of the sender? Does it have unusual spellings (or misspellings), capitalization, punctuation? Is the subject matter something you would normally discuss via email?
- Is the attachment something you were expecting, or at minimum, something you recognize? Is it normal for the sender to be sending you a file in this manner?
- If the email includes links, do the links actually go to where they say they do? For example, look at this link I made to google.com (which actually goes to bing.com). See how easy it is to fake a URL? Use your email program’s “View Source” option to check suspicious links.
- If you want to be certain, contact the sender via another means – phone, SMS, in-person – (their email account may be compromised) to verify they actually sent you a safe attachment.
Image courtesy of Victor Habbick / FreeDigitalPhotos.net