Tuesday, February 24, 2015

It Wasn't Englebart's Fault! (part 1)

   Douglas Englebart was an engineer, inventor and pioneer of the early internet.  He died in 2013.  He was known for a number of key ideas and inventions.  In 1967, he invented a very useful computer device that is a key component in propagating malware and facilitating phishing attacks... the Mouse!

   Of course, Englebart didn't invent email, email attachments, phishing emails or malicious links.

   The media is always buzzing with information about the latest breach or computer break-in.  We hear about advanced attacks, nation-states and possibility of cyber-war.  Many of these major attacks start with a simple click (or many clicks).

   Two of the main ways that malware is distributed or information is stolen is via:

  • malicious attachments sent in an email, and;
  • phishing emails with malicious links.
   For either of these methods to work, the recipient of the email needs to click... with a mouse! (well, you could also use a track-pad or track-ball).  The attachment needs to be opened.  If it's a zip file, it needs to be unzip'd.  If it's a link, clicking the link might either download malware or lead to a form asking for personal information.  Any of these actions could cause major problems.

   Let's discuss two issues:
  • what do these viruses do?
  • why can't my organization stop these? (or why can't I stop them at home?)
   This is, unfortunately, pretty complex and we'll probably handle these in two separate posts.

Why Viruses?

   As I've discussed in the past, this is really an economics issue.  There's illicit money to be made and there are smart people out there coming up with new ways to attack and take over systems.

   A typical computer virus does 1 of 3 things (I'm using the term virus generically - a virus is actually just one of a number of different types of malware (malicious software)).  It can even do more than one of these:
  1. connect "home" and download more viruses;
        This is an optional step.  The real goals are items #2 and #3.
  2. take over a computer so it can be remotely controlled, or;
        An attacker can take over a bunch of computers and use them to attack other computers or sell that capability to others. The computers taken over are called robots or bots.  They can be used to spread spam and more malware; to send a lot of traffic at target computers so they won't work properly or at all (this is called Denial of Service or DoS), or; might use other attack methods.
  3. steal information (the techy word for this is exfiltration).
        The stolen personal or corporate information can be sold or used to steal money from existing or newly created accounts.
  4. (bonus item) threaten to do the above (blackmail).
        An attacker might threaten to crash computers if not paid.  One kind of malware called "ransomware" encrypts your files so that only the attacker can decrypt them and charges you a fee to get your access back.
What can we do?

   This is a complex issue and we'll talk about protection methods next time.  For now, the best advice is to take measures we've often discussed here:
  • use anti-malware software
  • use care when opening attachments
  • use care when clicking on links
  • know who sent you that email, message, tweet, social network message, etc.
   I discussed these and other steps you can take in a post last year.

Tuesday, February 10, 2015

ID Fraud, Taxes and Doctors, Oh My!

   I did a series of posts last year on the problem of ID Fraud.  This is an ongoing issue, certainly because organizations struggle to protect information, there are cyber attackers out there, and also individuals don't often take steps to protect their own information.

   The bottom line is that your personal information, primarily your financial information, has tangible dollar value to a cyber attacker.

   We usually think about credit card fraud or maybe bank account fraud as the results of these kinds of data breaches.  But in this post and the next I'd like to talk about two other scenarios that have happened, are happening... and you need to be aware.

   It's that wonderful time of year again in the US.  Crisp weather, snow (most places), the days are starting to get a bit longer... and it's the beginning of tax filing season.

   Imagine you are doing your civic duty, filling out and filing your tax return.  You send it in to the IRS, only to find out that "you" already filed your return and "you' have already received your rather sizable refund - surprise!

   Unfortunately, this has happened.  And, as we've discussed in the past, these attackers are smart.  This is a business.  They need to be able to maximize profits because there is a limited timeframe in which to commit the crime.  So they need to attack a sub-population who:
  1. makes good money;
  2. might have many deductions;
  3. might have complex returns, and;
  4. for whom a large refund might not raise red flags.
   How about... Doctors!

   And, just as I finishing writing this article, we have new news out about tax fraud this year!  Reports say this is connected with Turbo Tax software, but it is more likely that scammers got people's info through other means and filed the fraudulent returns.  Maybe Turbo Tax is just the scammers software of choice! :-)

   As always, we want to talk about what you can do.

   In addition to the steps outlined in these previous blog posts, here is the IRS Guide on Identity Theft.  The IRS guide and my previous tips talk about not only what you should do if you are a victim, but tips to avoid the problem in the first place including:
  • protecting your personal information, primarily your social security number
  • don't click on links sent to you via email or in social media - type the link in yourself or do a search
  • use link rating applications like Web Of Trust (WOT)
  • don't give our your personal information via web, email, phone unless you can positively identify the person on the other end
  • review your bills, credit record and other information that might provide early warning of a problem.
   Have you been the victim of tax-related ID Fraud?  Do you have any additional tips to share?

   Of course, this issue is not just about doctors!  Next time we'll talk about something perhaps even closer to your wallet... payroll fraud and misuse.