So does life imitate art, or is it vice-versa?

A few weeks ago, I guess at the beginning of March, CBS debuted its much-hyped fourth venture into the Crime Scene Investigator world – CSI Cyber.  It didn’t hurt that the lead FBI agent, Patricia Arquette, had just won the Academy Award for Best Supporting Actress, a point not lost on CBS, who made no bones about that in their advertisements of the show once she had won it.  Considering that I enjoyed her performance in NBC’s Medium, and that I teach Cyber Security, I figured I’d give it a try.

Now I’m no media critic, but to me, the characters were not only stock characters from central casting, they just didn’t ring true.  The technical constructs also did not ring true – I don’t know of any code editor that will display malicious code in red.  But the one thing that seemed incomprehensible, even in this day of the Internet of Things (IoT), was that the central premise of the premiere episode was that someone was hacking into bedroom baby-cams in order to use them to kidnap babies.  The “unsubs” as they are known, were hacking in, making it seem like the children were still in their cribs, breaking into homes, and taking the children.  The whole thing sounded preposterous, until . . . wireless baby cam hacked – from Computerworld

It didn’t happen just once an unnamed mom told KTTC. “We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off.” At one point, the family faced the camera “toward the wall, and then a few hours later we accessed the Foscam, and it wasn’t facing the wall it was facing the closet.”

“We were able to track down the IP address through the log files within the Foscam software and found out that it was coming from Amsterdam,” the mom said. “That IP address had a web link attached to it.” After following the link, she found, “at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

After searching through “thousands and thousands” of pictures coming from IP cameras, the family saw their nursery. “You can literally just sort by whatever country suits your fancy, and whatever room suits your fancy,” the mom said. “It’s pretty sick.”

So now we have to worry about baby-cams REALLY being taken control of by wireless intruders.  What’s the recommendation to mitigate this bizarre threat?  Like any other device, it has firmware.  And that firmware needs to be updated, because just like any other firmware, security patches are included in it.  So if you have a Foscam baby-cam, you need to make sure that its firmware is current.

But that’s not all. Even if your WiFi router/access point is password-protected (and hopefully, with something more secure than the default password or just “password” or “123456”), the Foscam baby-cam can be password-protected, too.  And it needs to be.  And it needs to be with some password that’s more secure, again, than just a default, or “password”.  Now, it’s true that the current version of the Foscam baby-cam forces the user to change the default password when setting it up, but if you’ve got an older one, older than one year ago, you need to change that password (or perhaps, enable one if it doesn’t even have one), NOW.

Beware of Fake Microsoft Support Techs

According to an article in today’s Computerworld, there’s been a rash of bogus Microsoft Support Techs trying to sell pirated Malwarebytes software to the unsuspecting. What’s made it worse is that while most computer users have long expected that a bogus support tech would have an Indian accent, as most of these companies are in India, recent fake callers have “American” accents, making it seem like they do work for Microsoft.

From the article:

In a new trend, scams have gone home-grown, said Malwarebytes on Monday, with twists that include bogus warnings driven by malicious websites that urge users to call a toll-free number.

“This is the first instance [of a Windows support scam in the U.S.] on this scale that I’ve found,” said Jerome Segura, a senior security researcher with San Jose, Calif.-based Malwarebytes. “Most scammers are in India, but we wanted to expose this because they’re harming U.S. customers, who will feel more comfortable with a [native] English speaker.”

I recently was called, not once, but twice, from a person with a 206 area code, which is Seattle.  This, of course, would make one think that the call was indeed coming from Microsoft Tech support.  However, both times this caller had an Indian accent.  I flat out told him he was a scammer, and then hung up.  The Computerworld article detailed several different ways that the scammers scare their prey into purchasing their “goods”.  One is the good old “ransomware” technique, using scary graphics. 

Rather than cold-call victims — most India-based scammers blindly dial telephone numbers, figuring that most people who answer will have a Windows PC — E-Racer relied on fake alerts. The warnings, which were embedded in fraudulent websites, those sites often tied to URLs that might appear in search results for Windows errors, scream “Warning! Your computer may be at risk. For emergency Tech Support call immediately.” A toll-free number is prominently displayed.

As I’ve told my students (and WSAV, when I was interviewed by them), the best way to get out of this situation is to “X-out” of the window, as the scammer cannot control Microsoft’s window controls.  Then turn off your computer.

The other way that they get the gullible computer user into becoming a victim is to direct the user to look at a Windows log on their computer that contains harmless entries.  To a user who isn’t tech-savvy, these could look serious, but they’re not.

As expected, the article states that the fraudsters are often targeting the elderly, because they’re just not as tech-savvy as younger users (or users younger than, say, 50), and recent FBI IC3 stats for 2013 bear this out. 

Users have to understand that their Microsoft Event Viewer is not tied to MS without their permission, and the default setting is off.  But even more important, users have to remember that if they have not requested such a service, if they’re not expecting such a call, then how would the caller know that there is something wrong with their computer?

So if you get a phone call like the one described in the article, before you just hang up, tell the caller that you’re going to report their number to the Federal Trade Commission.  If you get a window with the message, don’t click in it, just “X-out” and perhaps restart your computer.  Don’t fall victim to this kind of scam!

Here’s the article from Computerworld

Windows 8: a failure, or just an annoyance?

Preston Gralla, writing in today’s Computerworld, detailed how it’s possible that MS has admitted that Windows 8 is its worst OS ever.  He described how it appears that Microsoft is going to ditch the tile interface of Windows 8 (and Win 8.1) for the next generation of Windows, due in 2015, which will adapt itself to whatever kind of machine you are using, a tablet-like interface for tablets, and a desktop-like interface for traditional PCs (what I predominantly use in my Win 8.1 Toshiba laptop).  In the new Windows OS, code-named Threshold, users won’t have to see the Start screen (the tile interface) unless they want to.

He then goes on to compare Win 8 to some real dogs, such as Win ME and Win Vista, both of which I’ve had the pleasure (not) to use.  While Win 8 is annoying, especially in the way it handles photos in my photo library (displaying them as it sees fit), it’s more of just something I work around than something that’s bothersome.  It does work, although since it’s really designed for a touch screen, it’s somewhat clunky.  I just generally avoid using the Start screen and its tiles.  I don’t use the force-fed search (Bing), the force-fed travel, or e-mail (I don’t have an Outlook account, and don’t want one), the force-fed weather, sports, news, and any of the other force-fed apps that MS has placed there.  I just go right to the familiar desktop, and use that, just as I always have.

Win ME and Vista were terrible.  ME didn’t work, I constantly received the “blue screen of death,” and back in November 2002, went through an entire weekend trying to recover from a memory dump (it’s a good thing I can read hex!).  But I still was on the phone with MS and with Gateway (it was really a Gateway issue – no wonder they went defunct) for probably a combined 4 to 6 hours, not including the re-install of the OS, that weekend.  Vista had even more problems – it constantly crapped out, and I eventually replaced it with Win 7.

But here’s the real problem with Win 8:

The consequences of Windows 8’s problems will haunt Microsoft for far longer than Vista did. Windows 7 largely fixed what was wrong with Vista, and as a result Microsoft suffered no serious long-term losses because of it. Not so with Windows 8. Windows 8 came out at a time when Microsoft needed to make a splash with tablets. But because its tablets were forced to run an operating system built for both tablets and traditional computers, Windows 8 has never been a great tablet operating system. As a result, Microsoft fell behind even further in mobile.

So as a company, going-forward, MS has some real issues on its hands, issues it’ll be tough to overcome.  As a user, I’ll just keep going straight to the desktop, and except for managing my photos, just keep using the desktop interface as I am on my Win 7 box at work right now.

What’s your personality, according to Facebook

On the day when NBCNews’ Matt Lauer announced the debut of his Facebook page, 10 years into the existence of the site, it’s interesting that his own NBC News site had an article on software that determine your personality by your posts.

Since Facebook has become virtually ubiquitous among us, I guess it was only a matter of time that this would occur.  Of course, someone like Matt Lauer, who only joined Facebook in the last day or so, must not have any personalty, LOL!  I ran the program against my own posts, and I feel that the personality traits it assigned to me are fairly accurate.  I can’t say that I post a lot to FB. I click on a lot of “Likes” to other people’s posts, and maybe I make three to four posts per week, whereas many people I know make three to four posts per hour.  So it was interesting to me that the software could take the relatively few (in relation to others) posts I do make and come up with a fairly accurate personality assessment.

Of course, since I teach Information Security, I was somewhat hesitant to try such a thing – what if their software was gathering confidential information about me?  But I figured that since it was on NBC’s site, it must have been vetted by them first, so it had to be OK.  And since I’m creating a module on social media for inclusion in CSCI 1150 this summer, it would be just one more thing to comment on in that curriculum.

So after all of that, even though I do think the analysis was fairly accurate, it really was just an amusing little exercise.  But it sure shows how integrated FB and other social media (Twitter, etc.) have become in our lives.

TrueCrypt shutdown and its implications

It was announced today in SearchSecurity.com that encryption tool True Crypt had shut down  Open source software, the implication is far-reaching for multiple reasons:

  • While TrueCrypt developers won’t confirm or deny that their open source software had been hacked, TrueCrypt’s demise means that more users who want to employ open source software as a less-expensive means of providing encryption/security solutions may have to look to more expensive proprietary software.  This will make any user skeptical of using any open source software in the future.
  • The article hints that the one of the issues with TrueCrypt, over time, has been that the authors of the software have remained anonymous.  This is indeed a concern – the user community is entitled to know who is writing the software in order to verify its authenticity and reliability.  If the authors won’t identify themselves, how reliable can their work be?
  • True Crypt purported itself to be secure, so much so that its use is promoted in Information Security textbooks, and as a professor who teaches IT and IS, I have taught it to my students.  Now I will have to switch over, almost certainly to the proprietary BitLocker, installed on Microsoft operating systems.  The instructions on how to migrate to BitLocker are here, on, of all places, TrueCrypt’s own site (what’s left of it).
  • Some hardware devices actually use TrueCrypt to provide encryption services.  I own a LaCie USB key that contains an encrypted drive, it’s encrypted by TrueCrypt.  I’ll keep using it, but now I’m suspicious.  In the meantime, manufacturers such as LaCie that use it are going to have to migrate to another encryption tool.
  • While I don’t use TrueCrypt to encrypt an entire system drive on my home PC, I do use it to encrypt a file container of secure personal documents and files, and so I’ll have to migrate those files to BitLocker, which probably won’t be that difficult.  TrueCrypt’s instructions seem easy to follow.

The biggest blow from TC’s announcement is to the open source community, TC’s community of users, and instructors like myself.  It will be interesting to see how textbooks and instructional material are updated in the future.

Your password is yours – don’t share it

When it comes to password security, one of  the things I teach my students is not to share it.  Often I think that they believe that’s a principle that they don’t have to follow.  I mean, what could be the harm in sharing your work password with a co-worker, especially if your PC has some important file that your co-worker needs access to?  (well then, just e-mail it!)  Or if you’re going to be going out of town for work or vacation?

Well, about a month ago, it was revealed that one NSA staffer found out about not following this principle the hard way.  Apparently this person gave Edward Snowden his password, and Snowden used it to access sensitive files.  At the time, it probably seemed harmless.  But it was in direct violation of NSA standards.  The person has since resigned from the NSA.  The files that Snowden was able to access were quite sensitive, and may have caused our government incalculable damage.  In terms of the saga of Snowden, his exposure of US secrets, and his escape to asylum and limbo in Russia, this is probably old news.

However, this small story in the larger one of Snowden illustrates the fact that no matter how advanced, or complex, or powerful our technology is in the defense of our information and cyberspace, there is absolutely no doubt that people are our weakest link.  If people don’t follow policies and the procedures that implement those policies, an organization can lose its data, its reputation, and its trust with consumers and with the people that count on that organization to protect them.

Danger lurks in the “Internet of Things”

In How the Internet of Things Opens Your Home to Cyberthreats, the article begins by stating that “Frankemeat” isn’t the only thing you have to worry about in your refrigerator.  And in our ever-connected world, what sounds like science fiction may (or, perhaps has) become science fact.  Maybe you want your refrigerator to send a message to your Android phone that you’ve run out of milk, but there’s a danger in that.  And that is that the same refrigerator that allows you to key in a list of items to purchase at the grocery, and sends it to your smartphone, must have an IP address to do it.  And any device that has an IP address and is not secured can be susceptible to malware.  I’m not sure what a hacker would do with your refrigerator itself, but just think if you posted what you thought were seemingly confidential notes on your refrigerator’s “notepad.”  A hacker could gain access to that list.

The concept of the Internet of Things (IoT) is growing.  More and more seemingly unconnected machines are becoming connected.  You just have to have a new car that allows you to connect to Facebook (forget the safe driving, driving while distracted issues for a minute), or Pandora.  How do you think that car’s console is going to make that connection?  Your car has an IP address.  What if a hacker gets into your onboard computer, and just shuts down your car while you’re driving?  OK, so that’s somewhat unlikely.  But you had to sign into Facebook, even in your car, with your userid/password combination.  And now what happens if a hacker, and especially a criminal hacker, can access that information.  All of a sudden, information that you thought was secure has now been compromised.

So before you start connecting all of your “things” to the Internet, you had better think about how you’re going to secure them.  Or . . . alternately, don’t connect them in the first place.

Interesting results on which e-commerce sites protect you

This CBSNews.com article reveals which e-commerce sites protect your password, in other words, which ones prevent you from such issues as: allow the use of weak passwords such as “123456” or “password”; being able to enter the same incorrect userid/password combination multiple times; enforce the usage of strong passwords; or send you updated passwords in plain text in e-mails.

The thing we ALL have to remember is that ultimately, WE are responsible for OUR own security.  No one is going to do it for us.  No e-commerce site is going to do it for us.  WE have to create our own secure passwords.  WE have to keep track of them.  I’ve already recommended on this blog the need to use a password manager like Lastpass.com or Keepass.  They are readily available tools that allow us to keep track of all of the many passwords we have to use.  Another valuable tool you can use to see if your password is secure enough is www.passwordmeter.com, which actually scores your passwords based on an algorithm that records the number of upper case and lower case letters, special characters, and digits that are in your password.  I recommend that everyone use this tool as well.  You’ll find the results quite interesting, and then you’ll probably end up changing your password(s) based on your findings.

Another phone scam – watch out!

Beware of the one-ring scam

As scams go, this one is very stealthy, clever, and dangerous.  How often do we see a phone number for a missed call pop up on our smartphone, and think of calling that person back?  Well, if that person isn’t in your phone book, you had better think again.  Just calling that phone number could send you to a foreign porn site, and end up costing you a LOT of money.  The article gives some very good advice from the Better Business Bureau (BBB):

The BBB said the scam calls usually come from outside the United States, including from numbers with area codes 268, 809, 876, 284 and 473.

Now, we all know that not all of the potential contacts we have (or need) are in our smartphone’s contact list.  Maybe you are waiting for a call from a potential employer, or a potential client, and you haven’t added them into your contacts list.  But, as the article points out, you could paste that phone number into the site whocalled.us  I pasted both my smartphone’s number and my home number into that site.  While both results didn’t state who I am, they both came back with the correct registrant of my phones.

The best advice is the same advice I have for potential victims of spam, especially spam stating that your account (usually your bank account) has been compromised.  You have to ask yourself:

  • “Do I even have an account with this bank?”
  • If the answer to that question is yes, then you must ask “am I expecting such an e-mail?”  And . . . “would my bank even contact me this way?”

If you don’t know who the phone number is from, then just delete it from your phone log and your phone message box.  If the caller really is someone important that isn’t stored in your contacts list, the caller will get back with you.

Facebook usage to drop 80% by 2017?

Facebook to lose 80% of its users?

While the Princeton study that this prediction is based on has not been peer-reviewed, it is an interesting prediction.  Recently we’ve seen high school students, college students, and those who have recently graduated from college (millenials?  ages 22 to 30) start abandoning FB for other social media sites, or at least complementing their use of FB with the other sites.  Why?

One valid reason is that their parents (me?) are using FB.  And even if their parents aren’t their friends, it’s just “not cool” to use the same media as people in their 50’s.  Another reason might be the importance prospective employers place on the use of FB to vet prospective employees.

While the future might hold a drop in the rate of new users to FB (what’s the ceiling to its membership, anyway?), as long as Zuckerberg and his team keep finding new social media outlets to purchase and integrate into FB in order to keep it relevant, and the advertising revenue continues to flow into Menlo Park, this is still an iffy projection at best. 

And besides, those of us who are over 40 and use it generally use it for a different purpose than our children – not necessarily as a means to make plans to get together (as our children use social media), but to keep in touch with distant relatives, friends (real friends, not FB “friends”) and people from our past who actually mean something to us.