Internet Security

This is more about you and what you do online, rather than about your devices and programs.

Related: Small business protection
  • The short-take is to pay attention to your surroundings, and don’t do stupid

The mantra is:

“You are your first line of defense.”
Darrell Laffoon, Chief Technology Officer at EZShield

“… we need to be looking at it from a resilience point of view. It’s not a matter of if with cybersecurity, but when”

There are a range of threats out there. Sure, there are viruses – millions of them – but all but a few percent are new. A huge amount are stale, old stuff dating back decades. Still dangerous if you have no anti-virus protection at all, but it’s widely known that the major operating syytems and browsers have built-in protection that will keep most of those oldies at bay.

Until you do the stupid, that is. And that stupid? It’s being king-hit by a social engineering ploy that gets you to invite a nastie.

According to a study from Google about social engineering, some of the most effective phishing campaigns have a 45% success rate.

The trap is that technology users buy into the ‘safe and secure’ spin the big players put out. The stupid is not taking the time to parse the speil and read the small print if you’re not 10% sure about such claims. You will find that marketing statements often fall short of that you think they say, and well, that’s marketing, eh?

…that stupid? It’s being king-hit by a social engineering ploy … The trap is that technology users buy into the ‘safe and secure’ spin … marketing statements often fall short of that you think they say

And we now have to beware of scams from publicly listed companies like the Facebook bust!

So you don’t trust that your computer – heck, even your mobile – is safe out of the box. That’s good sense. Buy anti-virus protection, maybe a suite that works in concert to protect you against a range of threats. Even better. But it does not end there, no way!

If you don’t want to be in a situation where you have to admit ‘my bad’ then read on Hardware, Software & IoT, then reflect on the advice in ‘Safe Online Behaviour‘.

Hardware, Software & IoT

Here we look at vulnerabilities that can exist within the guts of your device, computer, phone. We look at what tech is vulnerable right out of the box, what core programs and apps can let you down, and where firmware (hardware with embedded software that can be updated) lapses canleave you with your pants down around your ankles.

Hardware

Are your system, programs and drivers up to date?

Update and patch attacks are rare. Not much comfort when Microsoft released a new version of Windows that included a virus on the CD (yes, old media, old news). Nor when Woolworths updated a McAfee anti-virus update that shut down their EFTPOS Australia-wide for 2 days. I did mention regular, tiered backup, right?

Most attacks target known vulnerabilities that have already been patched. The easy targets are the technically lazy and ill-informed who don’t update regularly. So don’t be easy!

  • Ensure Windows Update is on and set to automatically download and install if you use Windows (corporate users often receive updates after a ‘safe period’ to ensure that updates don’t mess with integrated or reliant systems). If you have other Microsoft software, such as Office, then enable Microsoft Update, available from the Windows Update configuration screen.
  • Turn on Apple Software Update if you use OS X, and set it to automatically download and install.
  • Do likewise with tablet(s), mobile phone(s) and whatnot.
  • Many other attacks come via outdated third-party software, so ensure that all of your apps and programs are up to date also. Include browsers, runtimes, media players and games.

If you have apps that don’t automatically update you can use a global installer such ass Nanite or Secunia Personal Software Inspector to cut the drudgery of manual updates and minimise crapware.

Even hardware can let hackers in. In August 2006 it was found that Qualcom chips had vulnerabilities hackers could exploit. Sure, a fix was ‘available’ soon, but it was months before that fix propagated through manufacturer cycling to reach actual customers.

Devices

  • See: mobile devices

Software

Operating System, patches etc..

It’s up to date, right?

Android Angst

Bad Apple?

  • [11 Apr 17] Pegasus: The ultimate spyware for iOS and Android
    “Apple iPhone and iPad users usually believe they are safe. There’s no malware for iOS, they say. Apple does little to discourage the impression — the “fruit company” doesn’t even allow antivirus solutions in its App Store, because, you know, allegedly they’re not needed.”

MicroSurf

  • [26 Oct 15] Windows 10 shares your files with the internet
    By default, a Windows 10 update will use your bandwidth to share files on your PC with other PCs. This walk-through shows how to disable that feature – or tone it down a bit.

Apps

Is all of your software up to date? That app you installed last year – has it been updated to align with the current version of your operating system? Is it safe against current threats? More on this in the Never be Late! section of the iConnect page.

Do you have programs to protect you online?

Your computer can be an open door for hackers. Decent malware and virus protection lowers that risk (I use Malwarebytes and BitDefender). Malwarebytes is the industry standard and you can download a free 30-day trial from our Malwarebytes step-by-step guide. [Disclaimer: yes, we get a commission; sales are what keep this site going!]. BitDefender is a great security suite that I trust all of my devices with.

Even with all the security layers you could wish, you’re back to square one if you open the door yourself (if you don’t get that, just play Snakes & Ladders and go back to the beginning of this article). Read on for a few misdemeanours the big boys get up to when sneaking their less-than-altruistic practices under the radar:

Reality bytes

In the real world contracts exist to protect first and second parties, not third party end users. Oh, you’ll see lots of stuff about consumer protection, end-user rights and privacy this and that in an EULA, but that’s regulatory requirement fluffed up in nice user-speak.

Tread wrong on a business agreement and regardless of whether you’re a shaker-and-roller, it’s gonna hurt (if the other party has the muscle to enforce). If they have your balls in a vice, it’s really gonna hurt!

[12 Feb 18]: Facebook did the naughty and in August 2018 Apple chopped their Onovo app from the store. Their bad was to mine devices for data on other apps under the guise of protecting them such snooping through a VPN service.

[31 Jan 19]: Facebook did the dirty again when they launched a market research app that paid users to give over their data. Facebook bailed quickly after public outcry. Thing is, they used their internal-use-only Apple certificate to do so. Not non-employees (ahem, 13yo end users). Apple took exception to teenage exploitation and revoked their enterprise certificate. Broke all other apps based upon it too. Not happy, Jan!

It’s not the only time Facebook landed in hot water. There’s the class action lawsuit. Even Angry Birds are up in, ur, wings about the high level of chargebacks over ‘friendly fraud‘ .

(Id)IoT

Hackers Prey on the Vulnerable

“Risks to the security of Internet-of-Things devices will persist as long as consumers and manufacturers ignore baseline defenses. There are numerous reports in the media about smart gadgets falling under control of cybercriminals who use them to build an infrastructure that serves their purposes.”

Safe Online Behaviour

Avoiding gambling and porn sites is a given, as is being wise to those pesky invites from shonky sites and alleged friends.

However, threats can come from seemingly innocent places too; innocuous search results, hacked sites, fake sites, deceptive ads, spoof downloads, social media posts, blogs and well, almost anywhere really.

These tricksters have mastered what motivates people to do the stupid and open their door.

These threats are now common, everyday occurances and some mimic so well that anyone can have a lapse of judgement and fall prey.

Siege mentality

Hackers and ransom-bandits are now very sophisticated. They spam, scam and spoof just like the real thing! Importantly – over 60% of people are had this way – are your habits online safe?

This goes beyond the obvious and simple strategies of avoiding porn and gambling sites (sure, of course you don’t!).

…over 60% of people are had this way – are your habits online safe? This goes beyond the obvious and simple…

Being safe online requires a behaviour that is flexible, ready for change and a willingness to learn. You need a mindset that evolves with as attacks become more sophisticated.

For instance, merely deleting emails from unknown senders is not a deep enough level of paranoia. You need to scrutinise every email for authenticity, consider whether the literacy is congruent with their usual language? Spot words they would never use. Examine images to see if they are authentic.

This sort of thing is happening to thousands worldwide
I recently got a hearty email from my mum about an offer that she’d found.

She’s canny, and does send me information on things to check out. It was from her email address, literate and used language in step with her own.

I was nearly sucked in by a phishing scam

Without quite knowing why, I was mildly suspicious. I read the email in full rather than floating through it.

The only thing that tipped me off was an Americanism in the text; a word that mum would never use. Had I not developed a ‘healthy paranoia’ to everything online, I would not have had my guard up, would have taken that word for a minor oddity, followed the link to the ‘offer’ and become a victim of a cyber attack hijacking my persona to scam my contacts likewise.

It might not be you…

Now that you know they’re out to get you, you are at stage one paranoia, you can engage stage two by realising that you can be ‘got’ as a by-blow of a targeted attack on a group you incidentally associate with:

Mexican journalist and UAE activist Rafael Cabrera was targeted by Pegasus iOS spyware that exploited three unpatched zero-day vulnerabilities in iOS in August 2016

Pegasus is an advanced surveillance tool built by Israeli company NSO Group Technologies. Here’s a story from Tracy…

… I was reading about what Pegasus can do and it is exactly what happened to me. For example I would be sending an SMS and then out of the blue someone would write their comment, it was quite weird.

I’ll begin from day 1. I picked up my iPhone and it had been completely taken over, I couldn’t do a thing, I couldn’t type the word I wanted as that had been controlled also. I had pics on my iPhone that were somehow transferred from my families iPhones. Before all this began I had been using twitter and I had said a word on twitter that was offensive to others without me realising this, I had just previously learnt what the word meant before I tweeted it, if I had have known it was going to offend people I wouldn’t have even said it.

Anyway someone had left a message on my iPhone telling me that they had read what sites I had visited. They knew everything about me via my emails, SMS messages, my contacts, my photos,my iPhone camera’s etc etc. I also believe my iPhone was tapped. They knew where I had been away on holidays, absolutely everything. I also have a Smart TV and that had been hacked into also.

Incidently, Chrysaor – an Android spinoff – went undetected for 3 years until it was found by Google. This variant was tailored to target Israel.

To be fair though, infection came from third-party apps installed outside the security of Google Play, so definately a case of caveat emptor.

Chrysaor shares many of Pegasus’ features, but comes with added specs:

  • it collects all data associated with SMS settings, SMS messages, call logs, browser history, calendar, contacts, emails, and messages from messaging apps and social networks
  • captures screenshots,
  • answers calls and allows the caller to hear conversations in the background; and
  • self-destructs in case of detection.

It might not even be your fault!

Well, unless you let your website be uploaded by a shonky designer, but that’s another story.

In Top ways websites get hacked by spammers we see that sites can fall prey to password guessing atttcks so visit tips for creating a strong password in Google’s help center and use two-factor authentication (2FA) like Google’s 2-Step Verification if available.

The post also finds that website servers can miss security updates, themes and plugins can be insecure or outdated, staff often lack training in security awareness and social engineering attacks (such as basic phishing protection) and may be tricked into giving out customer information.

Hackers can use dorking to exploit search engine functionality to find data leaks (when confidential data is uploaded and a misconfiguration makes it publicly available).

Host security policies can allow attackers to compromise a site by:

  • allowing users to create weak passwords,
  • giving admin rights to users who don’t require it,
  • allowing users to sign in using HTTP rather than enabling HTTPS; or
  • allowing file uploads from unauthenticated users or with no type checking.

A good host will at least protect customer sites by configuring them with high security controls by:

  • disabling unnecessary services,
  • test access controls and user privileges,
  • use encryption for pages that handle sensitive information, like login pages; and
  • regularly check logs for suspicious activity.

See: TechRepublic guide how companies should handle breaches.)

Wait up!

When in doubt; pause, reflect, check. Maybe get help.

If you suspect that you’ve been had:

  • Pull the plug on your modem to stop outbound traffic and the risk of your gear being used as a BotNet.
  • Do a deep-level anti-virus and malware scan,
  • Disengage your backups, make a complete system backup elsewhere; and then
  • proceed with caution in bringing your other stuff online.

If you don’t have a regular backup routine, then shame on you! A 1TB external SSD drives costs a few hundred dollars if you want complete system and data backup so fast you won’t even notice it. 128GB flash drives and SD cards now cost less than a tank of fuel. But if a total wipe-out doesn’t faze you……

Proceed with caution…

Don’t panic, right? Whatever the downside to all this may be. If you scramble frantically for a solution, you might just click an ad that appears to be just what you need, only to find out that you’ve got yet another trojan or even worse, ransomeware.

If you scramble frantically for a solution, you might just find out that you’ve now got a more complex situation

So stay away from online ‘help’, cleaners and optimizers and call ina professional if you don’t already have a documented, proven strategy in place. Well, you could just say ‘hang it’, wipe your system and start over. But that’s last-ditch extremo, save that for the last resort.

Join the Luddites?

If you access funds online and are willing to put them at risk, great, Don’t Panic!

If you don’t want your financials pillaged by nefarious crims that have hacked or bought your ID’s and online account information to steal your ‘Preciousss’ then do not trust any online institution to safeguard your data.

Join the Luddites, ‘pop your clogs’ into the machinery of online ease and do as much to erase your identity online.

If you access funds online and are willing to put them at risk, great, Don’t Panic!

If not, … do not trust any online institution to safeguard your data. Join the Luddites, ‘pop your clogs’ and erase your identity online.

A trifle overboard? I used to think so, but info-hacks dramatically increased in 2018 and now I’m cutting back on my online info and slashing accounts to reduce exposure.

A Final Twist of the Screws

In 2018 Europe put the screws on some of the Silicon Valley Tech Giants, showing that naivety and gullibility weren’t wanted ‘across the Pond’.

What can you do?

Be proactive and avoid the ‘hit’

  • Hack-proof and protect your smartphone
    • Know what’s on your phone, keep it updated and be careful of what you install
    • Be all over the lock (and unlock) features and avoid browser auto-logins
    • Beware using open wifi,it really is dangerous
    • Don’t let Siri, Google Assistant or your lockscreen reveal private info
    • Lock vulnerable apps (BitDefender can do this)
    • Enable anti-theft and tracking (BitDefender can do this for Android and iOS)
  • Become a Malwarebytes customer
    Malwarebytes protects against malicious download links and malspam. There are also social media and the Malwarebytes Labs blog for updates on cyberthreats.
  • Use a VPN to hide from attackers
    Subscribe to a VPN service or use a browser that has an inbuild Virtual Private Network – your own private tunnel through the internet. A VPN hides your IP address and encrypts all data.

    • See: The Laziest, Cheapest Way To Set Up A VPN (2017)
    • Try SurfEasy’s VPN, it’s simple, straightforward and affordable. Opera’s PC browser has it built-in but their mobile apps don’t. However, they are well designed, easy to use and offer free data cover
  • Scrutinise your inbox
    Cybercrims know that data breach victims expect notifiction and thus send phishing emails spoofed to appear as legitimate notifications regarding those hacked accounts to con you out of personal information.
    See: Malwarebytes’ tips on how to spot a phishing email
  • Hire snoops:
    • Logdog for identity theft protection
    • Panopticlick to find out if you’ve been betrayed by your browser

  • Subscribe to Credit Monitoring. Affected companies often offer victims free identity theft monitoring services that notify when a line of credit is opened in their name.
    • Doesn’t protect against data theft so it’s like closing the stable door after the horse has bolted!
    • As a free service it’s fine, but to pay?

What to do when you’ve been ‘got’?

First port of call is the vendor, to see what policies, procedures and help are available:

  • Check with the company or organization that lost your data to hackers to begin with. They pay heavily when hacked. There’s forensic investigations, legal fees and some for helping you.

Monitor your credit accounts. Look for suspicious activity and access free credit reports at annualcreditreport.com (U.S. Federal Trade Commission-authorized) and from National Credit reporting Bodies (CRBs) listed on the Australian government website:

Reset your password, enable multi-factor authentication (not much use if they have other forms of ID though).[Android] Boot into Safe Mode to bypass lockout and remove unwanted apps

  • Press and hold the power button to shut down. When prompted to “Power off”, long press the Power off button (a dialog asks if you want to Reboot to safe mode) tap [OK] to do so. Third party apps are now disabled.
  • Reboot and check that you’re good to go.

Monitor your credit accounts. Look for suspicious activity and access free credit reports at annualcreditreport.com (U.S. Federal Trade Commission-authorized) and from National Credit reporting Bodies (CRBs) listed on the Australian government website:

Consider freezing your credit
A credit freeze makes it harder to open up a line of credit under your name by restricting access to your credit report. You can lift or stop the freeze at any time. The only hassle is that you must contact each credit bureau individually to enact or remove a freeze.

Hacks and Attacks

Hacks

2017 Hacks

[26 Apr 17] Ransomware is Being Hidden Inside Attachments of Attachments

Ransomware attacks get more clever as the public gets wise. This hides a malicious macro inside a Word document attached to a seemingly harmless PDF. The ransomware campaign, highlighted by the Naked Security blog, works like this:

  1. You’re sent a spam email with a PDF (uh, hello!) but the PDF doesn’t trigger your antivirus apps (unless maybe you configured deeper level screening).
  2. Acrobat tries to open the attached document when you open the PDF.
  3. The document opens in Microsoft Word, which asks you to enable editing.
    It’s a social engineering attack trying to get you to enable a VBA macro!
  4. You say [Yes], the macro runs, downloads and runs the crypto ransomware Locky.

By hiding the attack inside an attached document within another safe-looking document, ransomware attackers can get around most antivirus filters

2018 Hacks

Year of the Data Breach. More attacks than 2016, less than 207. More records stolen than in any previous year. Ow!

[28 Sep 18] Facebook data breach

Facebook’s view as feature lets people see what their profiles look like to others. An exploit allowed access to access tokens that could be used to take over people’s accounts without needing a password. The breach also affected third-party apps linked to Facebook. As a precaution, Facebook logged off about 90 million people.

[30 November] Marriott data breach

Malwarebytes ALERT: Marriott International disclosed a massive data breach affecting 500 million consumers … For some (this) includes credit card numbers and expiration dates

“In what has sadly become the new normal, another massive data breach made headlines today, … Marriott International disclosed a massive data breach … Compromised data includes name, address, phone, email, passport number, and date of birth, For some victims, (this) includes credit card numbers and expiration dates.

If you’ve stayed at any of the following Starwood properties, you’ve been affected.

  • Westin
  • Sheraton
  • The Luxury Collection
  • Four Points by Sheraton
  • W Hotels
  • St. Regis
  • Le Méridien
  • Aloft
  • Element
  • Tribute Portfolio
  • Design Hotels”
See the full article

[4 December] Quora Hack

A notification email titled Quora Security Update was sent to Quora users on 4 December, 2018. It included the following information:

“The following information of yours may have been compromised:

  • Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
  • Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
  • Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
  • Non-public actions, e.g. answer requests, downvotes, thanks”

Quora is a worthy site. A generous concept of community help in the mindset of the forums and chatrooms prior to the commercialatin of the internet in the ’90’s.

They also provided excellent advice for uses that recycle passwords:

“We’ve included more detailed information about more specific questions you may have in our help center, which you can find here.

While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”

In their Quora Security Update – FAQ they provide some great advice, including:

I’m sad to lose their service, but if they can’t keep my data safe, it’s hasta la vista, baby. So I logged in, disconnected connected accounts, logged out of all other browsers, set Privacy and Notifications to minimise exposure and contact (paranoid, yes, but that may minimise my footprint in any cache) and finally deleted the account. That should do it, eh? Nope! Next was checking for any saved browser passwords (nope, nyet, nada), then checking for any system vulnerabilities (out of date drivers, browsers, apps etc.).

So the rotten bastards win; and yet another internet resource bites the dust. Damn!

[14 December] Reverse clickbait scam

Advertisers are being scammed by hidden pay per click ads users are unaware of.

This is nothing new though, Hummingbird has been around since early 2018. Here’s an example of a big Chinese hacking scam.

2019 Hacks

1 thought on “Internet Security”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.