Think Twice about what You Post

Leave a comment

Today I read a post in Facecrooks (which by the way is a positive site to help you protect yourself, despite the name) about a man whose posts lead to negative consequences.  The post started with:

According to police in Philadelphia, a 19-year-old man was targeted by three robbers after he posted on Facebook and Instagram about an inheritance of jewelry he had just received.

The three robbers kicked down the door of the victim’s home at 2:30 a.m. Saturday morning, making off with a Rolex watch, several gold chains and mobile phones. Thankfully no one in the home was hurt, but the robbers have not yet been caught.

According to the Hickory Record, the robbers were caught and during the questioning, they mentioned they had heard about the inheritance.  Clearly the young man who received the inheritance never intended for strangers to know about his good luck.

This is a case of not having Facebook privacy controls set appropriately.  To check YOUR settings, go to the small arrow at the far end of the blue border at the top of your Facebook page.  Click the arrow and select “Settings” as shown below.

Checking Facebook Settings

Checking Facebook Settings

At that point,select “Privacy” from the left menu.  You will see a screen that begins with “Who can see my Stuff.”  If you have not already set it, this probably says “everyone.”  If so, edit it and and select the “custom” button.  You might want to set that to just your friends, or friends of friends.  Or, you can set it so that only specific people can view what you post.

If you have something valuable, such as the jewelry inheritance, you want the post to be sent only to your friends, and maybe not even all of them.  You can use your lists of people to narrow the group further.  If you have it set as “everyone,” not only can everyone who happens on your page read it, but they can also share it with everyone they know.  With this kind of visibility, it is not surprising that the bad guys got the news.

You need not adjust those settings the same for everyone.  But, for valuables or for photos of children (especially with other information), it is best to limit the range of people who see your post.

Advertisements

Senate Bill 2105: Cybersecurity Act of 2012

Leave a comment

On Valentine’s Day, four Senators introduced Senate Bill 2105, which is also known as the Cybersecurity Act of 2012.  If you would like to read the bill as it was introduced, it is available in full as presented.   If passed, this law would authorize the Federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked.  This includes electrical power grids, telecommunications networks, air traffic control systems, dams, and nuclear power plants.  Said differently, this would allow the Federal government to have security standards, to assess a company’s compliance, and to levy fines if the security is not sufficiently high.

Last week, the Wall Street Journal reported that a group of Senators have weakened the bipartisan legislation.   They responded to business lobbyists who claimed that such regulations would “regulations would create a costly and cumbersome process.”  Rather than requiring the companies to meet these regulations, they should be encouraged to do so.  According to Senator John McCain, “Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”

I am perplexed as to why Senator McCain, who has a strong record on National Security, would take this stand …. unless he does not really understand the real and present threat of such an attack.  Consider the number of companies in the last few months that have reported a security breach.  Sometimes the breach provides thieves with passwords, which can be problematic enough, but sometimes instead it is social security numbers, bank accounts and more personal information.  The people whose identities are stolen have a never ending hassle to fix the problem.  Many companies do not take security as seriously as they should.  Even when security is a priority, the companies have a significant task keeping a step ahead of the hackers.

Now, take that up to a regional or national level.  Suppose the U.S. had no access to electricity or telecommunications equipment.  Suppose this is not for a couple of hours as you might get in a thunderstorm, but rather for an extended period of time.   What would that do to the company’s productivity?  What if it happened during peak holiday shopping and no one could buy gifts or food?  What if it happened on election day and half the people were not able to vote?  What if …. there are many horrible examples.

We have already proven this can happen.  Well, it is unclear whether “we” proved it or someone else proved it by the introduction of the Stuxnet virus into Iran’s nuclear reactor.  Not only did it stop operations, but it did it in a way to damage the plant and roll back their development.  Other similar viruses, aimed at the “Internet of Things” (such as a power plant) have also been identified.

People release viruses all the time — sometimes without even knowing the impact of what they have done.   Why do we believe it won’t happen here?  Personally I think it is because people just do not understand technology and what security breaches can do.   They understand bombs or people shooting guns and know how to respond.  But electrons?  It is easy to listen to those claiming to be experts and follow their advice.

I hope we get the legislation.  I hope that it is flexible enough to be able to adapt to the rapid changes in technology.  I hope we can find a way to protect ourselves before it is too late.  If you agree, please share your concern with your Senators and Representatives.

 

A postnote:  Even weakened, the bill failed.  Too many people thought telling infrastructure companies that they need to be secure was a problem.  Sigh.

Malware — DNS Change

1 Comment

You may have heard the reports that something called DNSChanger is expected to hit on July 9, but not known what it was or what to do.

First, what is a “DNS” and why do you care if it gets changed?  First, DNS stands for Domain Name System and it is the directory system that allows computers to locate one another.  Your computer has no understanding of a web address such as  https://internetuseforseniors.wordpress.com.  So, after you type that into your web browser, the computer goes to the DNS and asks for the URL to be translated into something it understands.  That something is called an IP address.  Like your home address, an IP address is made up on multiple parts.  Your home address has a street number, a street, a city, state, country (perhaps) and some code, such as a zipcode.  Similarly, the IP address has a series of components that identify a specific computer uniquely.  These addresses are of the form 134.124.25.18, where the first number indicates your domain and the last number identifies a specific computer in the domain;  the intermediary numbers are further demarcations of the location.

Without a DNS server, we would all need to type in the specific IP address.  Clearly that is not practical. So, if the malware has infected your computer, then on Monday you will no longer be able to type in a URL and have your computer understand how to direct the browser.

How did that malware get put on people’s machines?  Like most malware, it infected people’s machines when they clicked on some advertising link that downloaded software to computers without the user knowing about it.  Since the software was not causing any problems, people do not know that it is on their machine — until July 9.  (Of course, with regular malware checks, this would probably have been detected.)

To avoid a problem, check your system now.  Some services, such as Comcast, has notified the users whose machines seem to be infected.  Similarly, Google and Facebook may be posting a warning if they detect your computer is infected.  To check, go to http://www.dcwg.org and follow the directions for checking and repairing your machine if necessary.  Do it today so you don’t have a problem on Monday!

What are Flame and Stux-net and why should I care?

1 Comment

There has been much discussion in the popular press of late about something called Flame and something called Stux-net, especially with regard to national security. However, many people do not understand what they are and why they are so troubling. Basically both of these are “computer worms” which, like viruses, attempt to perform malicious acts to your computer. The difference between a “worm” and a “virus” really has to do with how they are propagated. Computer viruses are a type of malware that generally deletes or changes files. They must be permitted to execute code and write to memory, and so generally attach themselves to some program; when the user runs the program, he or she also runs the virus (unintentionally). A worm, on the other hand, can self-replicate and move through a network (like the Internet). Generally worms are designed not only to spread, but also to make specific changes to the computer, including taking control of all or part of the computer. The key to understand is that the worm can cause damage to the system.

First, let’s talk about Stux-net. You may have heard about this one in 2010 when it was reported that there had been a cyberattack on Iranian uranium-enrichment centrifuges. This worm had been introduced into the Iranian nuclear processing facility (people in the know think it was introduced on a thumb drive), and it took control of the control system. A control system manages and regulates the machinery under its control, so that humans (often quite far away) can read sensors and information about they system and make adjustments. In this case, facility being monitored was Iran’s nuclear processing facility. The control system sent messages to uranium-enriching centrifuges to spin at speeds well beyond their tolerances. Obviously then the centrifuges were damaged.

You might ask how the worm could have caused that problem. Well, the programmers of the worm found vulnerabilities in the computer programs that run the control system. It is the same process of programmers exploiting bad programming the operating system so our computers can get viruses.

The worm caused so much damage to the facility that it has set back the nuclear program in Iran. At the time, there was discussion at the time that it might have originated in the United States and Israel, but there was no evidence to back up that claim.

It is beyond the scope of this blog to discuss who was behind it and their motives. However, it is important to note that malware can get into a physical facility, such as power plants, water treatment facilities and other public utilities. These are things we have taken for granted as protected and safe. However, The Washington Post, reported that:

A recent examination of major control systems by six hacker-researchers working with the security firm Digital Bond found that six of seven devices in the study were riddled with hardware and software flaws. Some included back doors that enabled the hackers to download passwords or sidestep security completely.

In fact, according to The Washington Post,

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

Further, they note,

A researcher at Cambridge University, Eireann Leverett, used Shodan to identify more than 10,000 control computers linked to the Internet, many of them with known vulnerabilities. Leverett concluded that many operators had no idea how exposed they were — or even realized that their machines were online.

Last week the press identified a new worm deployed in Iran called Flame. This seems to be primarily surveillance malware that allows someone to turn on microphones, look at data, track what people are doing on a computer, and perhaps even listen to nearby cell phone conversations. This worm was deployed to the Iranian oil industry and was attaching itself to control systems for the rigs and other equipment. It was detected and the Iranian government has unplugged those facilities from accessing the Internet. It has also created its own task force to combat these attacks and claims it intends to build its own Internet. This same worm has been found in the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

While the worms seem different, experts are not sure. They both move in the same fashion. In addition, computer experts say that the style of programming is similar between the two. Yes, it is true that there are styles of programming just as there are styles of writing. An expert can tell the reasons Emily Dickenson works are not confused with those of James Joyce. A computer expert can tell similarities in programming by how things are named, how they flow, and how different parts of the programs are hooked together. Worse yet, these experts claim to have found code that was apparently taken directly from Stux-net and put in Flame. All of those suggest similar authors.

What is the take-away for us? All of this mischief has put a spotlight on the fact that we, as a society, depend on computers for much beyond the business and pleasure applications we generally discuss. Everything from the car you drive to the utilities use computers to control them. And, where there are computers, there are people contemplating ways of breaking them. Most of these controllers were not visible to the average user, so they did not get attention from hackers. However, that also meant that their manufacturers often got lazy in building in the security to protect them. Now that they have the attention of the hackers, companies are scrambling to protect their controllers. Otherwise, we may be in for some rough times ahead at malicious or inadvertent attacks on our infrastrucutre.

Man-in-the-Browser and Financial Transactions Security

Leave a comment

Online banking makes paying bills and transferring money easy and fast.  But are you sure that you are protecting yourself and your money?  What would you do in the “real world”?  First, you would want to make sure you were really at the bank, and that it is open.  You  would want to hand your checks and money to an official teller and get receipts of all of your transactions.  In addition, you would probably get fairly suspicious if someone were looking over your shoulder or if you had to conduct your business through a third party (not someone who works for the bank).  You would be wise to ensure that your records were accurate and that no one was stealing your signature or banking documents.

If we are going to take advantage of the benefits of online banking, we need to translate those practices into the virtual world.  First, you should have a unique and strong  password for your banking account.  If you are not sure how to get a strong password, look at my previous post on the topic.  Second, you should avoid using a public computer for your online banking because it might have installed software to log your keystrokes or to remember your passwords without your permission.  Third, you should keep information about your account and password quite secret.  Fourth, of course, you should always be running up-to-date virus protection and malware protection to ensure that your computer is doing what you intend.  Your bank may have additional software and/or devices that provide additional security for your transaction.  Fifth, you must update your operating system and browser as recommended, especially if you use Windows and/or Internet Explorer.  Both products have features that are often

Even if you follow safe computing practices, you may still be at risk thanks to a new kind of trojan (similar to a virus) that might have infected your computer,  called a “Man-in-the-Browser” (or MitB) trojan.  The trojan is a piece of software that does not install itself on your computer, but rather installs itself as an add-on program within your browser, without your knowledge.  What happens is the MitB alters what the user and the bank see during the transaction.  So, for example, the bank does not get correct information about how much money to pay a vendor, and you do not see how much money was actually reported.  In fact, it might transfer money to another account and you might not be aware that it happened.

Your virus protection examines all of the software on your computer by comparing it to known problems or peculiar behavior.  Just as your police officers fingerprints and now DNA samples to compare to evidence at the scene of a crime, your virus protection compares strings of computer programs to those known to be viruses, malware and trojans.  If those do not identify the perpetrator of the crime, they look for people who are behaving strangely.  Likewise the virus protection examines programs for unusual activities, like replicating themselves,  growing quickly, or accessing a number of services on the computers. Generally these strategies work well.  However, MitB trojans are particularly difficult to detect since they change their appearance and behavior tens of thousands of times each day.   A particularly good (and easy to understand) description of this phenomenon was aired on BBC News.  Since they are hard to detect, it might take some time before your virus protection understands that there is a problem and by then it might be too late.

There are some warning signs for this kind of problem.

  • If it takes your computer longer to process requests
  • If your financial transactions take longer than normal
  • If you are asked for more information than normal during your financial transaction, especially if you are asked for passwords or sensitive information such as social security numbers.

What do you do if you experience one or more of those symptoms?  You should call your bank as soon as possible and give them the date and time of the transaction.  Do not email your bank because the same software that interferes with your financial transaction may interfere with the sending of the mail.  Your bank may have monitoring software that catches and disallows unusual transactions to protect you, so you may not have a problem.   If you do, you will need to rely upon your bank’s policy as to how much you are responsible.

Facebook Applications

Leave a comment

Did you know that no one reviews applications before they are made available on Facebook?  Most people think that if an application runs on Facebook that it was vetted somewhat or that it is, at least,  reliable.  That is not true, unfortunately.  Anyone can write an application with any mission in mind.  Once you give them access to your data, they unfortunately have your data and can do with it what they want.

Clearly there are multiple kinds of applications developed.  Some are developed by people who enjoy programming and want to develop something to show that they can program (many of these people are looking for jobs and putting it on their resumes).  Others have developed applications for themselves, and share it out of kindness.  These seem like harmless enough purposes, and they may well be.  However, if they are not good at programming they may inadvertently cause negative things to occur.    Then there are the people who just want to cause problems, or who want to collect information for nefarious purposes, or who are trying to scam users.

Does that mean you should never use Facebook Applications?  Certainly not.   Some of them are quite useful, or quite fun and should be used.  But, you need to protect yourself.  You could adopt what has been identified as “Sauter’s First Law of Computing” — never be the first to adopt new computing (hardware or software).  Let someone figure out how to solve the problems first!  (An associated lemma says not to adopt new computing alone … always have a friend who can help you solve unanticipated problems.)  Sometimes that is not possible, or sometimes you just don’t want to make your friends into guinea pigs.

You could first search Google for the name of the application and see what it says about the application.  Or, go to Facecrooks to see if they have a notice about problems with the application.  Or check the Facebook Security .  You can also go to the application’s Facebook page and look for information.  Click on the “information tag” … is there a description and does it tell you who developed it?  If so, check out the developers for their reputation.  Check the number of users — you do not get extra points for being the first.  Read the reviews of the application, to determine the experiences of other users.  Think about the information to which they want to give access — does it make sense, or are they looking at more than they should really need to see?  Think about the benefit of the application — is there enough advantage to make it seem reasonable?

As I have said before, use the same “common sense” in the Facebook world that you would use in real life.  Do not assume anyone else will protect you, but rather be a wise consumer of computing.