Tuesday, August 22, 2017

Don't Blame The IRS

  In a post last month, I include a recording of an obviously fake voice message warning about payment and fines due to the IRS.  If you've read my blog in the past, I talk a lot about scams and give tips to avoid them.  We've often discussed that legitimate organizations should not just contact you and ask for personal information.

   That just makes sense.

   But telling the difference between a legitimate call and a scam call has gotten harder.

   A reader let me know that the IRS is now using collection agencies to collect back taxes!  That just makes it even tougher to tell the difference between a legit collection call and a scam!

Tuesday, August 8, 2017

You Gotta Be You

   I just received an update from the Social Security Administration.  Yes, it was real! :-)  It was a reminder to log in to the SSA website to check my information online.  That also made me think about advice I've written about in the past... it's critical that you connect and establish your presence on critical government websites before someone else can create an account in your name.

   Here's a rewind of a 2016 post with all the information...



   I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!

Tuesday, July 25, 2017

The Matter at the Hand

   Check this out!...



   Here's a transcript:

   Calling from Criminal Investigation Division of I-R-S.  The matter at the hand is extremely time sensitive and urgent, as after all that, we found that, there was a fraud and misconduct on your tax which you are hiding from the federal government. This need to be rectified immediately so do return the call as soon as you receive the message. The toll free number is 1-8-6-6-9-7-8-6-6-1-8. I repeat again, 1-8-6-6-9-7-8-6-6-1-8. Thank you.

   Needless to say, this is a scam.  You can look at all of these reports on phone number lookup sites.

   Now, you may think that this obviously sounds like a scam.  However, it unfortunately works.

   So what should you do if you or someone you know receives one of these calls?

  1. Don't respond.  Just leave that alone.
  2. Report it.  Here is the FTC info page on reporting scams, spams, do not call or telemarketing violations and other issues.  Here is the complaint reporting page.
   I did file a report with the FTC.  It doesn't take long and it's the right thing to do.

   While these calls can be either annoying or entertaining, the bottom line is that they work and some people do fall for these scams.  So educate yourself and others.

   Do you have any interesting robo-call or scam stories to share?

Tuesday, July 4, 2017

All Your Bitcoin Are Belong To Us

   If you're old enough... and geeky enough, you may remember this:


   All Your Base Are Belong To Us was one of the famous early internet memes.  You can take a break and read more about it here and here.

   Memes are fun!  But ransomware isn't.  We've talked about ransomware many times in the past.  It's a kind of virus or malware (malicious software).  It's been in the news quite a bit and the healthcare industry has had particular ransomware problems.  And the news will continue after May's "WannaCry" and June's Petya/GoldenEye global attacks.

   Basically, in a ransomware attack, infected computers cause data to be encrypted.  Normally encryption is a good thing, but only when you can also decrypt your data.  In this attack, only the attacker can restore your access to the information, and will do so for a "small consulting fee".

   Payment is typically made using Bitcoin.  Bitcoin has also been in the news.  It is what is called a "crypto-currency".  It's basically an online way to pay for things, kind of like an online debit card where you already have the funds in your account.  The main reason Bitcoin is used for ransomware is that it is fairly anonymous, particularly when compared with traditional credit cards or banking.  It's not completely anonymous - it does protect identity during transactions, but eventually someone may have to turn that bitcoin into other traditional currency.

   With all the ransomware attacks, some organizations are getting bitcoins so that they are ready in case they need to pay ransom!

Tuesday, June 20, 2017

Payday!

   I received this great news in email today.  For some reason gmail marked it as spam!  But it looks great to me! :-)

Tuesday, May 23, 2017

I'll Cry if I Wanna

   I try not to jump on bandwagons, but with so much coverage and affects of the whole worldwide WannaCry mess, I do have a few things to say.  I have a few different things to cover that you may not have seen elsewhere.

   There's been plenty of media coverage so I'll just give a high level overview of what happened.  Like many other nations, the US National Security Agency (NSA) studies computer flaws and develops ways to attack them.  The Shadow Brokers are a hacker group who started leaking some of these NSA-developed attacks in the second half of 2016.  The April 2017 edition of their leaks included the code that enabled the WannaCry attack.
   The attack that started on Thurs May 11 consisted of two parts.  One would encrypt files so that the owner could not get access to their files (commonly called "CryptoWare").  The other part could get remote access to any vulnerable computer.  This was a very powerful combination and this is the first time we've seen this kind of auto-spreading cryptoware.  Once infected, the victim sees a screen that directs them to pay a ransom in bitcoin - so the whole attack is considered "Ransomware".

   Now, Microsoft did release a patch in March to fix some of these problems, in particular the remote access part.  So no problem, right?  Desktops and laptops are usually easier to patch, and you should always have your home systems set to automatically update.  But servers need more testing to assure that applications continue to work as expected.

   Patching was a critical part of the fix, but there was definitely more to it including things like new anti-virus signatures, whitelisting, intrusion prevention signatures and firewall rules.

Tuesday, May 9, 2017

Google Docs and the Mailinator

   You're minding your own business, just checking email, when you get an email from a "friend" inviting you to get a shared Google Doc file.

   You're a student of security, or at least a fan, so you're always skeptical when you receive an email with a link or attachment.  This one appears to come from someone you know.  The subject and body of the message seem consistent with a Google doc sharing message.

   Problem clue #1 - look at the "To:" line.  Clearly, this message wasn't sent to you.

   Problem clue #2 - were you expecting this email and file?  Has this sender sent you Google docs in the past?  Did this email arrive at work or home - and do you normally use Google docs there?

   But, you are rushed and don't have time to send your friend a message to see if this email is legit.  So you click.  If you're not already logged in to your Google account, you're asked to log in.  What you see next is...