The Cyber Chronicles | Episode 6 – Anatomy of an Email Scam

Scammers in Action.

Ever thought, “How the heck do they know that!?”

Me, too. Let’s expose how easy it is these days …

We’ve talked quite a bit about information in these articles, either directly or indirectly, and if you’ve noticed that, I’m doing my job. Across the pages of history are scattered periodic and uncommon tectonic shifts in the daily lives of humanity related to the proliferation of a new technology. One thinks of the Iron Age, the Renaissance, the Industrial Revolution, and we now live in the midst of the Information Age. The colossal impact of these phenomena are obvious in retrospect, but often challenging to accommodate in the present.

The foreshocks of the Information Age began with the invention of the printing press, but the ubiquitous adoption of the Internet as a presupposed fact of daily life has rocketed us into a new era of the Information Age. As a result, if we don’t want to be knocked over by the subsequent tsunami of reality, we must forge new habits and a new “normal.” My goal with these episodes is to reveal some of the new realities in a vivid manner, so that the rationale for change becomes embedded in our consciousness and subsequent behavior modification almost automatic.

AWARE

We’re probably all familiar with the common phishing email asking for the purchase of gift cards. We stop waves of them on a regular basis where I work, and we’ve seen a new degree of sophistication recently that serves as a great example.

This story starts with an email sent to someone who knows a coworker of mine.

snippet1

Now Mr. Ide knows Ms. Bessmer and is an IT health care professional, so he is not fooled by this familiar scam. But he also can’t resist responding to the scammer …

snippet2  

But this scammer is not to be discouraged. Despite having been called out for scummy behavior, they’re going to try harder.

snippet3

So let’s pause here and see if we can figure out how the scam artist knew that Lorraine and Michael know one another.

A quick internet search for “Lorraine Bessmer” returns as its fourth result the Idaho Chapter of HIMSS (Healthcare Information and Management Systems Society). Clicking on that returns the almost certain source of our scammer’s seemingly inside information. (I hope you still recall that specificity conveys authenticity.)

snippet4

Now I doubt you noticed (though I’m sure our erstwhile hacker did), but the information contained in this webpage and the information contained in Michael’s email didn’t match, and as a result the cyber criminal now has more information than they started with. By comparing the different phone number on the webpage with the phone number helpfully provided by Michael’s reply email, the hacker now knows both his office and mobile phone numbers, and which is which. If you remember our earlier story on SIM Jacking, you recognize that Michael is now more vulnerable to having his identity stolen, and it’s really not that difficult.

snippet5

 

It was Lorraine who first brought this episode to my attention, and I’m happy to report that the local chapter of HIMSS has modified its webpage so it no longer displays any personally identifiable information. The group serves as a great example of rapidly adjusting to our new reality. May we each follow this lead. And, please, try to resist replying to any suspicious email! Few of us are “woke” enough to realize what we’re accidentally giving away.

Perhaps you’ve wondered why your company encourages you not to use your corporate email for personal correspondence … well, now you know! And, of course, there are five more anecdotes we could cite …

PREPARE

You may be about ready to become a Luddite and swear off all technology, but that’s not really realistic is it? Once we are aware of what’s going on and know why we need to care, we have the opportunity to prepare. Think about how our kids take technology for granted. My middle daughter asked me a few days ago how I drove without GPS and couldn’t understand why I started laughing. I guess I’m going to have to give her some pre-technology preparation … us old dogs are still good for something!

If we will simply adjust to the new paradigm we’re already living in, we can all accommodate to what responsible means in the late stages of the Information Age. So sally forth with a new comprehension of how readily available our personal and corporate information is and become a paragon of informational virtue, freshly scam resistant!

The Cyber Chronicles | Episode 5 – Cloudy With a Chance of Breach

Navigating ‘the Cloud’

Let’s talk about “the Cloud.” You know the Cloud, right? It’s a place to store your information on a bunch of other people’s computers that you don’t control. Oh, and you also have no control over whether your information is stored on the same hard drive as that of a Russian hacker, or a NSA toolkit, or perhaps just some company’s data, maybe like LinkedIn’s user database, or some other valuable information that makes the server where your data also happens to reside a frequently targeted environment.

AWARE

Let’s talk about how awesome the Cloud is … you don’t have to pay the electricity bill, you don’t have to upgrade the OS, you don’t have to do any administration at all, in fact. You just drag and drop your data and, presto, you’re using the Cloud!

Of course, you also have no way to confirm the OS is properly patched and upgraded, but we can certainly trust all these major corporations to be doing things right. Right? Hello? Ferris?

Anyone

If you’re an observant reader, you might be sensing that I’m suspicious of the Cloud. Well, yes, a little bit, but I’m trying to get you to be suspicious of the Cloud, because right now most of us spray data out into the Internet like I spray my kids with a hose on a 105-degree day – without a second thought! And with data, we don’t know where it’s going, whether it’s private or whether you can effectively get it back. I can delete a file today, but if you copied it yesterday, you still have my data. I bet Jennifer Lawrence wishes she had thought about that pesky reality.

There are so many issues with the Cloud I had a hard time deciding what to talk about. But true to form, I decided to tell you a story. It was a bit difficult to put together the pieces because they go back to 2011 — the Mesozoic era of the Internet. (That works out to 66 million Internet years … I’m not quite clear on the math, but why are you distracting me?)

I can delete a file today, but if you copied it yesterday, you still have my data.

CARE

So … back in 2012, Dropbox announced they were investigating a strange increase in spam being received by Dropbox users. Dropbox even hired third-party experts to check it out. Reassuringly (at least back when you could trust people on the Internet … wait, you used to trust people on the Internet?), they found no evidence of a security breach.

Dropbox posted the following on its customer forums:

Untitled 2

Now those would have been reassuring words, except that slightly less than a year previously Dropbox had to admit that it had accidentally published code to the company’s live, public site that allowed anyone to sign in to any Dropbox account without a password. (I imagine right about now you’re feeling really good about storing your tax returns on Dropbox.)

But let’s return to 2012. Dropbox had an outside party investigating the strange amount of spam, and that outside party concluded: “Move along! Nothing to see here …”

Except that on July 31, 2012, Dropbox sheepishly announced:

“We’ve been working hard to get to the bottom of this …”

And you probably know how this ends. Instead of “no intrusions and no unauthorized activity,” as previously announced, it turns out: “Our investigation found that usernames and passwords recently stolen from other websites [always pass the buck – it can’t be your fault] were used to sign in to a small number of Dropbox accounts” (emphasis and words in [brackets] are mine).

Fast forward to 2016, when it was revealed that the “small number” of Dropbox usernames and passwords stolen turned out to be 68,680,741. (Just to confirm, that’s 68.7 million.) Guess how we found that out? Four years later, someone posted them for sale online. Oh, minor point: That’s how Dropbox found out too.

PREPARE

So, full confession: I’m a Dropbox customer. It’s just so darned convenient. However, I take several precautions, which I’ll share with you in a moment here. Before we go there, I want to make sure you know I’m not picking on Dropbox (well, maybe a little), because I could have chosen any of several Cloud companies, and they would have looked equally bad. It’s just seeing the details of reality all up close like this that smacks us in the face. We could have focused on Cloud companies’ data utilization policies, their basically non-existent privacy policies or what happens to your data when a fledgling Cloud storage company goes out of business (who wipes those repurposed servers?), but I had to pick something, and this story wasn’t writing itself.

What should you do to keep your data safe in the Cloud?

  1. Never store anything online that you wouldn’t want your next-door neighbor to read.
  2. Always use a lengthy, complex password.
  3. Never use a password that you’ve ever used anywhere else. (Read this cautionary tale for a reminder of the “why.“)

Let’s give some specific examples:

  • Don’t back up your Quicken (or any other financial software) data to the Cloud
  • Don’t put your W2, your tax returns, your budget spreadsheet or any other financial information in the Cloud.
  • Don’t back up an entire old hard drive to the Cloud. Do you really remember everything you had stored on there?
  • Don’t put a list of passwords in the Cloud.
  • Remember when you had to scan in your driver’s license and upload it to someone? Don’t store that in the Cloud.

I think you get the picture. We’re all going to use the Cloud – that’s inevitable, but you’d better be paranoid about what you put up there. Information is a valuable commodity in this digital age, and the Cloud is really just a digital neighborhood with glass walls.

The Cyber Chronicles | Episode 4 – Pete, Tweet & Repeat

Social Media Safety.

Even though all of these articles cover serious topics, we’ve been trying to have a little fun with the process, but today I’m being very serious. The issue we’re going to discuss and the story I’m going to tell you are no joke.

On Monday we discussed the need to change how we think about information, so in a way this article is a continuation of that conversation, but we’re going to focus in on social media as a completely out of control information sieve that threatens our lives in multiple ways.

Let’s begin by admitting that most of us are not really up to speed on social media. We may think we know what our kids are doing, we may be really hip and use Facebook, Instagram and Twitter, but check out the following list of social media apps. How many did you even know existed?

AWARE

Untitled 1

 

CARE

Why should we be concerned about this? Let’s talk about Elizabeth.

So far as I can tell Elizabeth’s story was first told by the boyfriend of her sister, Amy, in a Reddit chat room about a year ago. Elizabeth was 13, her mom was an ER nurse at Grady Health System. They lived outside the Little Five Points neighborhood in Atlanta. Unfortunately, because of the nature of her job, Elizabeth’s mom was often unavailable via phone. One night the oldest sister, Amy, who attended the University of Georgia an hour and a half away in Athens, received a call from an hysterical Elizabeth. Here’s what had happened.

Elizabeth liked using the video sharing app Periscope, in fact, she had built up quite a few followers, and typically had 10-20 people watching her at any given time. She would broadcast for two to three hours a day, leaving the camera on to record her normal life: doing her homework or putting on makeup. She would frequently interact with her various followers, and while there are always creeps on Periscope, she could easily block them. One follower was always there but never said anything; this person followed no one else, and never broadcast any video of their own. If Elizabeth began broadcasting, however, within a minute this person would join her feed, but never commented, and never responded to any of her attempts to draw them out.

One night while broadcasting painting her nails, she was being watched only by the silent user. Once again, she tried to draw them out, sending messages of smiley faces, asking various questions, all to no response. Finally, she went to bed but kept checking Periscope, wondering if anyone else would join her feed. Suddenly, she received a message from the silent watcher:

“Is your mom still at Grady?”

Elizabeth’s Periscope username wasn’t linked to her Facebook or anything else, and location sharing was turned off. How could this person know where her Mom worked, and that she was at work tonight?! Feeling panicked, Elizabeth instantly ended her broadcast.

A few minutes later she received a notification. The silent watcher was broadcasting for the first time ever. Elizabeth clicked to watch and saw a shaky video feed of the outside of her house! With growing horror she saw the camera view shift downward and become not just creepy but indecent.

PREPARE

We’re not ready for the intrusive reality of social media. Few of us carefully monitor the information we unwittingly reveal on social media, let alone know precisely what our kids are doing on their smart phones, tablets, or Macbooks. How many of the above list of apps (and there are so many more I could have listed) is your child using? Do you have their username and password for each account? To their phone or tablet? Do you have an account on every social media platform they use, so you can monitor whether they’re safe?

If not, here’s where to start. Maintain a conversational relationship with your child, use your social media accounts as an example and discuss why you never mention that you’re “heading to McCall,” or that you can’t wait to attend the Owl City concert, etc. Discuss the difference between people we actually know, and people we only know through their online presentation of themselves.

10 Ideas to Help Keep You and Your Loved One’s Safe Online

  1. Stop thinking you have nothing worth a cyber-criminal’s interest.
  2. Stop your bad password habits.
  3. Use multi-factor authentication for all accounts.
  4. Put at least six-character pins on smart phones and tablets.
  5. Make sure you as a parent have the codes to your children’s device and their accounts.
  6. Educate yourself, your parents, and your kids on common scams.
  7. Review every app or platform’s privacy settings, and discuss the danger of connections from third-party apps (reference the recent Facebook and Google hacks, directly related to third-party authentication).
  8. Conduct intra-family tabletop exercises or “war games,” and attempt to theoretically compromise (hacking or physical breaches) each other on the basis of information revealed in each person’s online presence.
  9. Conduct True or False exposés where each member of the family gets to reveal whether a popular meme or “news” story is misleading or reliable.
  10. Limit children’s online “friends” to 200. Research focused particularly on middle school kids indicates that cyber bullying and other negative encounters rise exponentially after the accumulation of 200 “friends.” Consider limiting your child’s online friends to those who they have or would consider touching on the shoulder – this will likely be less than 200 people.

The Cyber Chronicles | Episode 3 – Nothing is Free

Information in the Digital Age.

I’m sure you’ve heard the truism as often as I:

“Nothing is free…”

I wonder if you’ve heard the follow-up? Nothing is free; you will pay with either time, money or information. Increasingly in our digital age, information is the most valuable one of those commodities.

AWARE

Recall the ubiquitous crime board that appears in every television detective drama. Whether or not actual detectives use these, this idea accurately captures the essence of what hackers are doing in their ongoing attempts to build a robust profile on you or your organization.

Untitled 1

Why is information so valuable to a hacker? Because specificity conveys authenticity. Every bit of info increases the hacker’s chance of appearing to be an insider, and thus of securing your confidence.

“specificity conveys authenticity”

CARE

We drip information like my daughter’s ’97 Volvo leaks oil. It’s not pretty! (the leaking oil, that is, she’s awesome)

Untitled 2

Let me tell you a story that happened last week. Names have been obscured to protect the innocent.

A program manager I work with was giving a training on trauma to some firefighters who were joining remotely over Skype. This was a multi-day class, and the day before everything had gone swimmingly, but today a lone guy in a particular station was having trouble accessing the meeting. Ever the problem-solver, the program manager suggested she email him the PowerPoint, and he could follow along over the phone without video access. I love these “get ‘er done” kind of people!

Everything was hunky-dory till she was informed by Compliance that she had distributed the Protected Health Information (PHI) of more than 700 people. Freaked out by what she had never intended, and extraordinarily confident that there was no PHI in the PowerPoint, the program manager called Compliance to determine what on earth had happened.

Every bit of info increases the hacker’s chance of appearing to be an insider, and thus of securing your confidence.

As she related the story to me, right in the middle of asserting that there was no PHI in this PowerPoint, the Compliance employee on the other end of the line directed her to a particular slide, and within three clicks converted a summary graph containing no individual information to the entire data source from her original spreadsheet!

PREPARE

So, I’m telling this story at her request, as she wants everyone to know that if you need to put a graph in a PowerPoint or other Microsoft Office document, for Pete’s sake, please take a screen shot!  

Whatever you do, don’t copy/paste, insert or embed your Excel graphic into that PowerPoint.

I hope you will start thinking differently about information. It’s a valuable commodity we reveal constantly with precious little thought to how we are endangering ourselves or others.

The Cyber Chronicles | Episode 2 – Credible Credentials

It’s time to confess your cyber sins. It’s OK. I’m a professional.

Have you ever used the same password more than once?

Don’t be ashamed. We’ve all done it. Repeat after me:

“Hello, my name is __________ and I am a password re-user.”

“We love you __________.”

Was it Confucius (or was that Sun Tzu?) who said, “Know thy enemy.”  Corrie Ten Boom was a bit more descriptive, “The first step on the way to victory is to recognize the enemy.”

In the case of passwords, we need to be more specific:

“We have met the enemy and he is us.” – Walt Kelly

Perhaps your employer, like many responsible organizations, has quite a few requirements for the creation and management of our passwords — rightfully so! As I’ll describe below, our passwords are remarkably vulnerable, due of course, to human nature. (We have met the enemy …) 

AWARE

An acquaintance of mine was called in to gain access to a major manufacturing company in a “pen test.” So … he first went out to LinkedIn and gathered the profiles of 100 employees from Company B. He then proceeded to do a bit of research with Professor Google, and discovered the email domain and username format for Company B, along with how to access the company’s email online.

(Try this yourself: Open a new browser window, and search for “marriott email access”; what’s the first result?)

Now Company B had a policy that everyone’s password had to be changed every 90 days, or 4 times per year. This was a responsible company trying to do a good job, so, of course, they also locked people out after five incorrect password guesses. So guess what my friend did?

Knowing human nature, he turned to the first of his LinkedIn-collected employees and via the company’s browser-based access to Outlook he typed in jsmith@companyb.com with a password of “Autumn2018.” No luck. So he proceeded to the next employee and entered jdoe@companyb.com with a password of “Autumn2018.”

(See how that works. You have to change your password four times a year: Winter2018, Summer2018, etc. — easy to remember, 10 characters, a capital letter, a number, etc. “We have met the enemy …”) 

After trying 100 employee emails with the password “Autumn2018,” he had accessed the email of four Company B employees!

The next step was to begin doing strategic searches through the employees’ email. Before long he found a conversation revealing the existence of a legacy VPN site that didn’t require Multi-factor Authentication. In two shakes of a lamb’s tail he had inside access to Company B’s network. The rest of the story gets worse from there, but we’re focused on passwords here.

PREPARE

What can you do? Fortunately, the skills you develop in responsible password management will serve you just as well at home as they do at work.

Your employer probably requires several factors to be true of a password:

  • They cannot contain more than four consecutive letters of any dictionary word.
  • A password must include at least three out of four of the following characters: uppercase alpha, lowercase alpha, numeric and special characters.
  • Passwords must be a minimum of eight characters.
  • Passwords cannot be the same as the previous 24 passwords used for that account.

Need help creating good, satisfactory passwords? This article by lifehacker is very good. You will note that you basically need a Password Manager. I’m partial to Bitwarden, but there are also many other good ones.

The Cyber Chronicles | Episode 1 – SIM Jacking

The Skeleton Key to Your Life.

October is National Cyber Security  Awareness Month, and has been observed every year since 2003. In honor of #NCSAM, I will be publishing 10 episodes in the first season of “The Cyber Chronicles.” I hope you enjoy and benefit.

Your phone is Grand Central Station for confirming your identity. You can show the DMV your Confirmation of Insurance on the screen of your mobile. You confirm attempted logins to corporate resources via Microsoft or Google Authenticator on your phone. You receive Verification Codes for logins galore … on your phone. Needless to say, if your phone landed in the hands of someone unscrupulous, it could be a disaster.

AWARE

What if your phone was in your hand, but no longer viewed by the rest of the world as being yours? This nightmare is not imaginary. In fact, a Salt Lake City couple told the story of their recent experience to a journalist working for VICE.

According to that reporter, Rachel and Adam Ostlund were minding their own business one evening last September when Rachel received a strange text (see the image below) and suddenly lost all connectivity to the cell network.

Untitled 1

Puzzled, Rachel logged into her email via computer and noticed that many of her passwords were being changed. Long minutes later, Adam answered his phone only to realize he was talking to one of the hackers behind the hijacking of Rachel’s phone number.

The Ostlunds had fallen victim to an increasingly common scam called SIM Jacking or SIM Swapping. Cell phone providers call it a “port out scam.” Unfortunately, Rachel was the owner of a highly sought after, short and sweet Instagram handle, which hackers can sell for thousands of dollars.

None of the security measures Rachel had taken to secure the several accounts compromised, made any difference once the hackers seized control of her phone number.

CARE

Your phone has become the skeleton key to your life; the confirmation of your identity for dozens of accounts.

If you forgot the password to your personal email how would Google, Microsoft, or Yahoo contact you? Whether via call, text, or email, it would almost certainly be via your phone. What if you forgot the password to your bank account?

While it is good that an increasing number of organizations are moving to implement multi-factor authentication, the problem with using our phones as the central hub of confirmation is that they are remarkably vulnerable to comprise by external parties.

In June of this year the largest consumer marketing database in the world was exposed online, containing records on 230 million consumers. To put that into perspective, there are 240 million adults in the United States.

While the database did not contain social security or credit card numbers, it did have highly detailed information with entries on more than 400 variables, including address, phone number, religion, smoking status, number, age and sex of children, preference for plus-sized clothing, cat or dog-owner, etc.

If that kind of information is available online, how difficult would it be for someone to impersonate you to a customer service rep over the phone?

The technique behind SIM Jacking is incredibly simple. The scammer calls customer service asking to port their number over to a new SIM card. Only a trivial social engineering effort is required to “confirm” their identity as you, and you suddenly lose access to the cell network, and to your digital life.

The Mobile providers are aware of this trend, but reluctant to provide statistics on its frequency, though at least one provider has informed its customers of an “industry-wide” threat.

According to the VICE reporter, Rachel and Adam called the police, who seemed puzzled and said there was nothing they could do. The Ostlunds did manage to get Rachel’s number back by calling T-Mobile, and were able to reset and regain control of all her accounts except for Instagram.

PREPARE

Preventing SIM swapping is relatively simple and absolutely necessary. Call your cell phone provider and set an account PIN or password that must be provided verbally before any changes are made. Then never use that PIN or password anywhere else for anything else.

For more information check out the following links:

https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/ [digitaltrends.com] (with instructions for safeguarding yourself)

https://www.wired.com/story/sim-swap-attack-defend-phone/ [wired.com] (another, more recent article on protecting yourself)

Note: The story of Adam and Rachel Ostlund was originally told in an article for VICE and contains NSFW language, used by the hackers.