Public Wi-Fi

My local police department issued this warning today:

Today’s technology can be extremely useful in our everyday activities, but also dangerous if not done so with caution. Below are some things to remember before you allow you your smart phone, tablet, lap top, or any other device to connect to a publicly shared Wi-Fi network.

1. Never utilize your online bank or credit card accounts, or shop online when connected to public Wi-Fi.
2. Be aware that criminals may set up similar network names to a restaurant, café or coffee shop to get you to us their network. When this is done, they can gain access to your personal information.
3. Make sure your smart phone is not set up to automatically connect to surrounding Wi-Fi networks.

You might ask the difference between public Wi-Fi and the one in your home.  Well, the simple answer is encryption.  Everything you send via a public Wi-Fi signal can be intercepted by someone else on that same network.  Since the transmission is not encrypted that person can read everything you send.  That includes passwords, bank numbers and private emails.

Encryption acts similarly to the locks on the doors in your home.  The locks keep people out unless they have the right key to translate the tumbler in the door.  Similarly, encryption locks your message so that someone without the proper decryption codes cannot understand what you have sent.  No locks mean that anyone can walk into your home;  no encryption means that everyone can read your post. The better the locks, the less likely that undesirable people will come in your home;  the better the encryption, the less undesirable people can read your email.

Facebook’s Requirement of ‘Authentic’ Names

I recently read a Wired article entitled, Help, I’m Trapped in Facebook’s Absurd Pseudonym Purgatory, and it reminded me of an experience I had last month.  I was at a conference and relying  upon my email and Facebook to help me maintain communication with my students, administration and clients.  I was midway in reading a message on Facebook and it shut down.  When I tried to login, I received a message that I needed to confirm my identity in order to logon.  My suspicious brain immediately assumed it was a cybersecurity problem.  With this assumption, the last thing I was going to do was to send them more information.  So, I went to the web and began to check sources regarding this problem and I found that it was really Facebook!  I checked and learned that I either had to send some ID with a picture and address.  Of course, I could send them an ID with my name, such as a driver’s license and picture, or a bill, library card, passport or other kind of document that could prove I was who I claim to be.  I was really troubled about this, but I took a photo of my driver’s license and sent it to Facebook.  Twenty-four hours later I could login to Facebook again.  I don’t really understand the evidence factor … how do they know that photo is of me?  How do they know where I live?  And, I am so glad my social security number is no longer on my driver’s license!

But, what happened?  When you sign up for Facebook, you agree to use your real name.  For several years, I used ‘Vicki Sauter.’  However, at some point, my cousin’s wife whose name is also ‘Vicki’ and who changed her last name when she got married, also joined Facebook.  We were fine until family members had friended both of us.  Then people began to get confused… they would friend her when they thought they thought they were friending me and vice versa.  The same was true with postings and messages.  Now, you know I am a computer person …. my cousin is a Lutheran minister!  The mixup could get quite confusing!  Since her middle name also begins with an ‘L,’ just using a middle initial was not going to solve the problem.  So, we solved the problem:  I changed my Facebook name to Vicki TheGeek Sauter and she changed her Facebook name to Vicki TheRev Sauter.  It was working quite well until someone “reported” me for not having an authentic name.  Believe me, everyone who came to my page knew who I was;  I assume the same was true with my cousin.  So, I gave in and sent them a copy of my driver’s license and my official name is back to Vicki Sauter (TheGeek).  The name in parentheses doesn’t even show up all of the time.

In my case, the result of going back to a name that appears on legal documents is a hassle and may cause confusion.  But, as I began to talk about it and think about it, there could be real problems.  What if someone were only known by friends using a nickname or a middle name?   I had an aunt whose name was Agnes Leone, but almost no one knew her first name (sorry dear, the secret is out), and many of us called her by a nickname, Vicki (it’s a long story).  Might she never be found by her friends?  Or, consider someone who is the victim of a stalker or spousal/child abuse.  Those folks might use a pseudonym to protect their safety.  Who knows who is looking at our profiles, especially if the security settings are not well controlled.  Someone else could ‘share’ your post and then your security is gone.  Or, what about people who join Facebook with a pseudonym because they are concerned that their employers might object to their use of social media.  Does Facebook’s needs really outweigh those people?

When I joined Facebook, no one asked me to prove who I was.  I just want them to make it easy for people to find me.  It’s fine that they know I am Vicki Sauter, but let me put back my “TheGeek” to avoid confusion.  And, figure out a way to make it safe for people who use different names

Do you need help using the Internet?

I have a new book and it may just be the thing you have been looking for!  The name of the book is You’re Never Too Old to Surf:  A Senior’s Guide to Safe Internet Use. 

This book is for you if you have ever wanted to harness the power of the Internet, but haven’t been quite sure what that means or how to do it.  It is intended for the parents, grandparents and great-grandparents who want to use the wide range of tools that are available today on the Internet, from simply surfing the web to buying online, using email, blogs and even social networking sites.  You may have sought guidance from your child or children  only to be annoyed at their exasperated response to your questions.  Or, you may have tried it on your own, and gotten frustrated with the tools, or had some problem result from that use (or know someone who did).  You may be using the Internet, but just not feel very confident in what you are doing.  If you fall into any of those categories, I wrote this book for YOU!  Of course, if you are the child or grandchild and are having trouble explaining things to your elders, this book could help you too.

The book is available from Amazon.com and BarnesandNoble.com.  Your local bookstore can order it too.  It is published through CreateSpace, ISBN 978-1506163857.

Please give it a try and let me know how you like it.

 

Phishing

Yep, “phishing” is a real thing, and you pronounce it the same as “fishing”.  Like fishing, phishing uses bait in an effort to hook something.  Unlike fishing, phishing doesn’t look for fish, but rather for sensitive information.  Phishing attempts to use an apparently trustworthy request to gain usernames and passwords to get access to more computers and/or credit card and other financial information to get money.

The key to phishing is that the request appears to be legitimate.  An email might be constructed to have the same look as those from your bank or other financial institution.  Or, the email might appear to be a bill from a company with which you do business.  Today phishing happens withing social networking tools, such as Facebook,  too.  These might be realized as:

A game or lottery.  In this kind of phishing, you may get an email or a Facebook post that claims you have won money.  Unfortunately, to get to the money, you must send them money or access to your bank account.

A request to confirm your account  These emails or social networking program ask you to log into a system that appears to be the legitimate.  Often these are sites that are appropriately branded and look as you expect them to be, but aren’t.  Never click on a link in  the email or social networking message;  the site might not take you where it appears to be.  The better approach is to log in manually.  So, if the message appears to be from Facebook, don’t click on the link, but instead type in http://www.facebook.com and proceed from there.

A violated policy alert.  You may note an email or Facebook post that claims you have broken some policy in your email system, Facebook or some other social networking system.  These always ask you to log in and do something.  Always navigate to the site manually.  Don’t provide information unless you are sure you are on the correct site.

Photos and Videos.  It is quite common for people who have hacked one account to try to get more information by sending information to contacts that appear to be from the original owner of the account.  These messages might claim to have videos or photos of you that are not appropriate.  Or, the message might claim to have photographic proof of some gory or sensational event.  These are almost always an attempt to get access to your account.  You should ignore t hem.

Before logging in to any site, always verify that you are indeed on the main site. Careless and unsuspecting users are often fooled by these tricks.

Senate Bill 2105: Cybersecurity Act of 2012

On Valentine’s Day, four Senators introduced Senate Bill 2105, which is also known as the Cybersecurity Act of 2012.  If you would like to read the bill as it was introduced, it is available in full as presented.   If passed, this law would authorize the Federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked.  This includes electrical power grids, telecommunications networks, air traffic control systems, dams, and nuclear power plants.  Said differently, this would allow the Federal government to have security standards, to assess a company’s compliance, and to levy fines if the security is not sufficiently high.

Last week, the Wall Street Journal reported that a group of Senators have weakened the bipartisan legislation.   They responded to business lobbyists who claimed that such regulations would “regulations would create a costly and cumbersome process.”  Rather than requiring the companies to meet these regulations, they should be encouraged to do so.  According to Senator John McCain, “Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”

I am perplexed as to why Senator McCain, who has a strong record on National Security, would take this stand …. unless he does not really understand the real and present threat of such an attack.  Consider the number of companies in the last few months that have reported a security breach.  Sometimes the breach provides thieves with passwords, which can be problematic enough, but sometimes instead it is social security numbers, bank accounts and more personal information.  The people whose identities are stolen have a never ending hassle to fix the problem.  Many companies do not take security as seriously as they should.  Even when security is a priority, the companies have a significant task keeping a step ahead of the hackers.

Now, take that up to a regional or national level.  Suppose the U.S. had no access to electricity or telecommunications equipment.  Suppose this is not for a couple of hours as you might get in a thunderstorm, but rather for an extended period of time.   What would that do to the company’s productivity?  What if it happened during peak holiday shopping and no one could buy gifts or food?  What if it happened on election day and half the people were not able to vote?  What if …. there are many horrible examples.

We have already proven this can happen.  Well, it is unclear whether “we” proved it or someone else proved it by the introduction of the Stuxnet virus into Iran’s nuclear reactor.  Not only did it stop operations, but it did it in a way to damage the plant and roll back their development.  Other similar viruses, aimed at the “Internet of Things” (such as a power plant) have also been identified.

People release viruses all the time — sometimes without even knowing the impact of what they have done.   Why do we believe it won’t happen here?  Personally I think it is because people just do not understand technology and what security breaches can do.   They understand bombs or people shooting guns and know how to respond.  But electrons?  It is easy to listen to those claiming to be experts and follow their advice.

I hope we get the legislation.  I hope that it is flexible enough to be able to adapt to the rapid changes in technology.  I hope we can find a way to protect ourselves before it is too late.  If you agree, please share your concern with your Senators and Representatives.

 

A postnote:  Even weakened, the bill failed.  Too many people thought telling infrastructure companies that they need to be secure was a problem.  Sigh.

Be Careful When Posting your Location on Facebook

We have all seen the posts of people who need to share their current location.  They talk about the trip to Europe they will enjoy for the next two weeks,  the concert they are attending, or the restaurant where they will eat tonight.  They are sharing information with their friends.  Of course, we have talked before about controlling your security levels so you really only share with friends.  But, I suspect most people do not think of it a great deal.  So, I want to share a story.

There is a young woman in Chicago who works for Groupon, teaches rowing at one of the city’s finest Catholic high schools, and coaches a rowing team.  A few years ago she started an organization called Recovery on Water (ROW) for survivors of breast cancer.  Her mission is to provide them an opportunity to exercise because research suggests that regular exercise drops the likelihood of another tumor by half.  It seems like a good cause with a regular membership that exercises together and supports one another in their challenge.

This summer the founder decided she would row the perimeter of Lake Michigan to raise money for her cause in an effort she called Row4ROW.   As I understand it, she planned to row the entire perimeter alone and sleep on her boat.  Along the way she shared information about her cause and, of course, blogged about her experience, including her location.  All went well until last week when she was sexually assaulted while she slept on her boat (you can read the Sun Times story).   On July 12, her blog (written by a friend) read:

Jenn was set to row to Beaver Island on Sunday morning but was attacked and sexually assaulted by a man in the early morning hours. The attack occurred in an area south of Gulliver along Lake Michigan in Mueller Township, Schoolcraft County, Mich. Investigators have reason to believe the assailant traveled a significant distance to commit the assault.

The bold print on the last sentence is mine.  It appears from reading her blog that they have not yet caught the assailant.    However, it is interesting to note that they believe that he knew where to find this young woman simply by following her blog.  It is anyone’s guess how he knew to find her blog — it might have been random, or he knew of the effort, or someone posted it on Facebook (frankly, that is how I learned about Row4ROW).  But the point is that the young woman, traveling alone, sleeping on the water simply broadcast her location to the world.  And, she has paid for that mistake.

Many people suffer home burglaries or other crimes because someone knows they are not home because of broadcasts on social networking sites.  Even if all you do is to post a photo from your phone, a technologically sophisticated person can check the photo for information about your location (and, depending on your phone, might know exactly where you were and when you were there).

The young woman is now taking better precautions.  For a couple of days she rode a bike (with others)  until she could find safe locations for sleeping.  She is now back on the water finishing her adventure and raising more money and more awareness of her cause.  And, raising more awareness of the problems of social networking sites.

I do not know this woman, and I do not know anyone participating in the program.  However, I was moved enough by her determination to continue that I did contribute.  If you are so motivated, you can make a donation online.

 

Malware — DNS Change

You may have heard the reports that something called DNSChanger is expected to hit on July 9, but not known what it was or what to do.

First, what is a “DNS” and why do you care if it gets changed?  First, DNS stands for Domain Name System and it is the directory system that allows computers to locate one another.  Your computer has no understanding of a web address such as  https://internetuseforseniors.wordpress.com.  So, after you type that into your web browser, the computer goes to the DNS and asks for the URL to be translated into something it understands.  That something is called an IP address.  Like your home address, an IP address is made up on multiple parts.  Your home address has a street number, a street, a city, state, country (perhaps) and some code, such as a zipcode.  Similarly, the IP address has a series of components that identify a specific computer uniquely.  These addresses are of the form 134.124.25.18, where the first number indicates your domain and the last number identifies a specific computer in the domain;  the intermediary numbers are further demarcations of the location.

Without a DNS server, we would all need to type in the specific IP address.  Clearly that is not practical. So, if the malware has infected your computer, then on Monday you will no longer be able to type in a URL and have your computer understand how to direct the browser.

How did that malware get put on people’s machines?  Like most malware, it infected people’s machines when they clicked on some advertising link that downloaded software to computers without the user knowing about it.  Since the software was not causing any problems, people do not know that it is on their machine — until July 9.  (Of course, with regular malware checks, this would probably have been detected.)

To avoid a problem, check your system now.  Some services, such as Comcast, has notified the users whose machines seem to be infected.  Similarly, Google and Facebook may be posting a warning if they detect your computer is infected.  To check, go to http://www.dcwg.org and follow the directions for checking and repairing your machine if necessary.  Do it today so you don’t have a problem on Monday!

What are Flame and Stux-net and why should I care?

There has been much discussion in the popular press of late about something called Flame and something called Stux-net, especially with regard to national security. However, many people do not understand what they are and why they are so troubling. Basically both of these are “computer worms” which, like viruses, attempt to perform malicious acts to your computer. The difference between a “worm” and a “virus” really has to do with how they are propagated. Computer viruses are a type of malware that generally deletes or changes files. They must be permitted to execute code and write to memory, and so generally attach themselves to some program; when the user runs the program, he or she also runs the virus (unintentionally). A worm, on the other hand, can self-replicate and move through a network (like the Internet). Generally worms are designed not only to spread, but also to make specific changes to the computer, including taking control of all or part of the computer. The key to understand is that the worm can cause damage to the system.

First, let’s talk about Stux-net. You may have heard about this one in 2010 when it was reported that there had been a cyberattack on Iranian uranium-enrichment centrifuges. This worm had been introduced into the Iranian nuclear processing facility (people in the know think it was introduced on a thumb drive), and it took control of the control system. A control system manages and regulates the machinery under its control, so that humans (often quite far away) can read sensors and information about they system and make adjustments. In this case, facility being monitored was Iran’s nuclear processing facility. The control system sent messages to uranium-enriching centrifuges to spin at speeds well beyond their tolerances. Obviously then the centrifuges were damaged.

You might ask how the worm could have caused that problem. Well, the programmers of the worm found vulnerabilities in the computer programs that run the control system. It is the same process of programmers exploiting bad programming the operating system so our computers can get viruses.

The worm caused so much damage to the facility that it has set back the nuclear program in Iran. At the time, there was discussion at the time that it might have originated in the United States and Israel, but there was no evidence to back up that claim.

It is beyond the scope of this blog to discuss who was behind it and their motives. However, it is important to note that malware can get into a physical facility, such as power plants, water treatment facilities and other public utilities. These are things we have taken for granted as protected and safe. However, The Washington Post, reported that:

A recent examination of major control systems by six hacker-researchers working with the security firm Digital Bond found that six of seven devices in the study were riddled with hardware and software flaws. Some included back doors that enabled the hackers to download passwords or sidestep security completely.

In fact, according to The Washington Post,

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

Further, they note,

A researcher at Cambridge University, Eireann Leverett, used Shodan to identify more than 10,000 control computers linked to the Internet, many of them with known vulnerabilities. Leverett concluded that many operators had no idea how exposed they were — or even realized that their machines were online.

Last week the press identified a new worm deployed in Iran called Flame. This seems to be primarily surveillance malware that allows someone to turn on microphones, look at data, track what people are doing on a computer, and perhaps even listen to nearby cell phone conversations. This worm was deployed to the Iranian oil industry and was attaching itself to control systems for the rigs and other equipment. It was detected and the Iranian government has unplugged those facilities from accessing the Internet. It has also created its own task force to combat these attacks and claims it intends to build its own Internet. This same worm has been found in the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

While the worms seem different, experts are not sure. They both move in the same fashion. In addition, computer experts say that the style of programming is similar between the two. Yes, it is true that there are styles of programming just as there are styles of writing. An expert can tell the reasons Emily Dickenson works are not confused with those of James Joyce. A computer expert can tell similarities in programming by how things are named, how they flow, and how different parts of the programs are hooked together. Worse yet, these experts claim to have found code that was apparently taken directly from Stux-net and put in Flame. All of those suggest similar authors.

What is the take-away for us? All of this mischief has put a spotlight on the fact that we, as a society, depend on computers for much beyond the business and pleasure applications we generally discuss. Everything from the car you drive to the utilities use computers to control them. And, where there are computers, there are people contemplating ways of breaking them. Most of these controllers were not visible to the average user, so they did not get attention from hackers. However, that also meant that their manufacturers often got lazy in building in the security to protect them. Now that they have the attention of the hackers, companies are scrambling to protect their controllers. Otherwise, we may be in for some rough times ahead at malicious or inadvertent attacks on our infrastrucutre.

To WiFi or Not to WiFi ….

We have all entered our favorite Starbucks,  Panera, hotel or other public place and connected via the free WiFi network.  It is convenient, easy and free.  Why wouldn’t you connect?  There is always a risk with a public WiFi node that people can read your messages and track your searches.  Yes they can … there is technology that allows them to do it on a non-protected (read that free) network.  But, there is an additional concern this summer.  According to Private:  Your Online Privacy Source,

This month, the FBI’s Internet Crime Complaint Center issued a stark warning to travelers:  If you use hotel Wifi hotspots abroad, you could get burned.  The alert says cybercriminals are targeting travelers abroad using pop-up windows that appear while they are trying to connect to the Internet through hotel Wifi.  The pop-ups tell hotel guests that they need to update a widely used software product.  But when they click to install it, what they get instead is malware on their laptops.

So, what can you do? If we follow our normal security procedures, download all software updates before you travel, only download updates directly form a vendor (and never click on a link in an email to do it), you are better prepared. You should also block popups because that is how the criminals advertise the software they want you to download.

In addition, if you use free WiFi spots, it would be good to use a Virtual Private Network (Private VPN).  The VPN encrypts all of your data thereby making  it useless to the criminal who might intercept it.  Without the VPN, your data is sent without any protection and someone with the right tools and abilities could intercept it and then use it for whatever purpose.  The Private article recommends using PRIVATE WiFi™.

Don’t ruin your vacation because you neglected security!

ACTA, CISPA, and TPP

There is more alphabet soup to concern us today — ACTA,  CISPA, and TPP.  While they are two entirely different things, they both potentially threaten our privacy on the Internet and that is bad.   Let me clearly state that I am a published author and I too worry about people stealing my intellectual property and making a profit from their own use of it.  However, I worry about rights being taken in the name of protecting intellectual property.

ACTA is the Anti-Counterfeiting Trade Agreement signed by the US, Australia, Canada, Japan, Morocco, New Zealand, Singapore, and South Korea, and expected to be signed by the European Union, Mexico, and Switzerland.  It is not “treaty” so it does not need to be approved by Congress. The goal of ACTA is to protect copyright and intellectual property, such as music and movies from pirating and counterfeiting.  I am not a lawyer and certainly not an international treaty expert, but the phrases, ” … including expeditious remedies to prevent infringements and remedies which constitute a deterrent to further infringements” and “authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party or, where appropriate, to a third party over whom the relevant judicial authority exercises  jurisdiction, to prevent goods that involve the infringement of an intellectual property right from entering into the channels of commerce” sound like the government is asking ISP’s to watch over users — and such surveillance cannot be a good thing.  According to the EFF, “ACTA contains new potential obligations for Internet intermediaries, requiring them to police the Internet and their users, which in turn pose significant concerns for citizens’ privacy, freedom of expression, and fair use rights.”

TPP is the Trans Pacific Partnership Agreement.  It too is multinational and it attempts to protect intellectual property.  It states that any party that “manufactures, imports, distributes, offers to the public, provides, or otherwise traffics in devices, products, or components, or offers to the public or provides services, that: (A) are promoted, advertised, or marketed by that person, or by another person acting in concert with that person and with that person’s knowledge, for the purpose of circumvention of any  effective technological measure, (B) have only a limited commercially significant purpose or use other than to circumvent any effective technological measure, or (C) are primarily designed, produced, or performed for the purpose of enabling or facilitating the circumvention of any effective technological measure, shall be liable and subject to the remedies set out in Article [12.12].  That sounds a lot like ISPs will need to monitor all of our transmissions to be sure they are not in trouble.

CISPA is The Cyber Intelligence Sharing and Protection Act.  According to Demand Progress, CISPA “could let ISPs block your access to websites — or the whole Internet.  CISPA also encourages companies to share information about you with the government and other corporations.  That data could then be used for just about anything — from prosecuting crimes to ad placements.  And perhaps worst of all, CISPA supercedes all existing online privacy protections.”

None of these measures make clear how much authority the ISPs will have or what a citizen’s rights to argue will be.  That is the part that worries me most.  It seems perfectly possible in this era for this to be the first step to certain sites having more rights than others (such as movie sites or book publishers) because of these laws.  If they really are innocent protection of IP, then why have the discussions not been more transparent?  Why is the government determined to keep experts out of the discussion until after treaties have been signed.  Let us not allow anyone the right to evaluate the appropriateness of a site without oversight.