“Man is condemned to be free; because once thrown into the world, he is responsible for everything he does.” – Jean-Paul Sartre
Do you ever get to the grocery store and forget all of items you came to get, or miss a step in something you’re doing, or do repetitive work and sometimes lose your place? The results are inconvenient, but not catastrophic. It’s a far different story when you’re test piloting a brand new state-of-the-art airplane or landing on the moon. The Simple Genius of Checklists, from B-17 to the Apollo Missions provides a brilliant articulation of the importance of checklists. If even surgeons (who are pretty smart) can use a checklist to help improve patient safety, why would anyone think them a waste of time?
Have you read the privacy policies behind your favourite websites like Facebook, Google and the like? Me neither. And you know what… we’d probably struggle to read them even if we tried. In We Read 150 Privacy Policies. They Were an Incomprehensible Disaster, Kevin Litman-Navarro from the New York Times provides some great visuals to help articulate the readability of the privacy policies from 150 major tech and media companies. Not surprisingly, the bulk of these privacy policies are a mess that only a PhD could understand. Welcome the a world in which everyone needs to CYA.
Oops for this week: Hacked forensic firm pays ransom after malware attack. As The Guardian and BBC report, “Britain’s largest private forensics provider [Eurofins] has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack.” Eurofin “carries out DNA testing, toxicology analysis, firearms testing and computer forensics for police forces across the UK.” It’s probably bad for business when a company who does work for the police gets hacked and held for ransom. On the other hand, if companies associated with law enforcement can get hacked, what chance do people like my mom have?
“A mind all logic is like a knife all blade. It makes the hand bleed that uses it.” – Rabindranath Tagore
And this one came into my inbox last minute and had to include it this week as well:
“I will have to remember ‘I am here today to cross the swamp, not to fight all the alligators.’”
— From The Art of Possibility by Rosamund and Benjamin Zander
He Cyberstalked Teen Girls for Years—Then They Fought Back – excellent reporting (as always) from Wired on the dangers of cyber stalking and the dangers that teens face in the never ending attempts by creeps to extort over nude selfies. Kids shouldn’t have to feel this way:
“Any type of security thing can happen,” she said. “They can hack anything.” Her shoulders slouched, and she directed her voice to the table where we were sitting. “I just never envisioned that, and it’s just … We shouldn’t have to live in a world where we don’t know if people are real or not.” She folded her arms around herself and bit her lip to stop herself from crying.
Parents need to be better informed about this and they need to equip their kids to be safe online.
Oops: Personal data of 2.7 million people leaked from Desjardins (more coverage). A rogue employee took the data with him/her. This is difficult to prevent. As an infosec pro, I know firsthand just how difficult it is to find a balance between security and business productivity. In many cases, companies err on the side of convenience and ease of access to data. Unfortunately, we continue to see the results of not locking down data sufficiently. That said, there is lots that can be done.
Oops – part 2: TD Bank internal files found online in ‘keys-to-the-kingdom’ cloud data exposure (more from ZDNet) This one is simply shameful: “Attunity, a company that manages and safeguards data, left internal files exposed on the internet for clients including Ford and TD“. “Exposed data includes passwords and private keys for production systems, employee details, sales information.” “A company that manages and safeguards data”? Wow. It’s one thing for a non-security company to bungle access to their data, but it is quite another when a company who specializes in safeguarding data does it. I suspect Attunity sales / technical reps are fielding calls from their major clients today to discuss the status of their data and their contract renewals.
New Raspberry Pi 4: I love these tiny computers (buy now!). My only problem is that I don’t have much time to tinker anymore. Probably a good thing or I’d have a whole army of them around the house. HackerNews doesn’t disappoint with a crowdsourced list of plenty of interesting (or not) things to do with a Pi.
I missed last week’s post, but had this queued to go out, so I’ll still keep this in this week’s post: The big news last week: Libra – a Facebook-led digital crypto-currency. Plenty of press on this one. The best quick summary I’ve read thus far is by the entertaining writers at The Hustle. Hard to say how well adoption will go – government oversight (boosted by financial industry lobbyists, no doubt) could yet hobble it. But, if they make it easy (embedded in existing systems like Facebook and the gang), secure and stable (the lack of a financial bubble a la bitcoin), then I suspect it’ll take off.
Key findings from the Internet Trends report (as reported in The Idea’s June 17 email):
Mary Meeker released her latest annual Internet Trends report at Recode’s Code Conference. Below are some of the findings most pertinent to the news media industry:
15% of all retail sales are now though e-commerce. E-commerce is growing at 12.4%, and regular retail is growing at just 2%. (Ed note: look out for how publishers continue to capitalize on this growing industry through affiliate links.)
Digital ad spending grew 22% in 2018
Google and Facebook still dominate the digital ad market, but Amazon and Twitter are growing
62% of all digital display ad buying is of programmatic ads, and that number is growing
Customer acquisition costs are increasing, sometimes exceeding customers’ lifetime values for digital subscription companies. Meeker suggests that free trials can be a cost effective way to alleviate that cost.
Time spent with digital media is still going up. Americans in 2018 spent 6.3 hours a day, 7% higher than the year before. More than 25% of U.S. adults are “almost constantly online.”
Note: the above stats were all taken from Atlantic Media’s The Idea June 17 email – I don’t want to claim any credit for the summary presented above! If you are interested in the media industry, I highly recommend subscribing to their mailing list.
I think that’s it for this week. For my Canuck readers, enjoy the long weekend!
“Care about what other people think and you will always be their prisoner.” – Lao Tzu
I’m a huge security and privacy proponent. Stumbled across this great visual example of ways we all expect privacy in our everyday lives – and it highlights why our digital privacy should be no different:
My kids love our Springfree trampoline. Next time they say they are bored, I’m gonna go through these lists (one idea I hadn’t thought of: Make a laser course on the mat out of yarn and try not to touch it) :
And, I’m a bit bummed because I don’t think I’ll be able to attend my local Wordcamp Hamilton this weekend. I bought my ticket, but life sometimes gets in the way. (In this case, it’s my son’s birthday – and family comes first!)
My mom got scammed online earlier this week. This is the second time in a year that someone close to me has gotten burned by a scummy, sleazy, no good, prey-on-the-weakness-of-others-rather-than-get-a-real-job jackass. And it is so annoying!
In this case, the person that hooked my mom didn’t do any real damage. But it inconvenienced her and I for a few hours this week. And that really sucks. And, if it was worse, it would have taken me a bunch of hours more to rebuild her computer from scratch and get it reconfigured to the point where I wouldn’t have to field tech support calls from her for the next two months asking me where her missing icons or browser shortcuts have gone.
So… here’s what happened:
She ordered some stuff from Amazon.ca a few weeks ago and her order was taking forever to be delivered. She wanted to call amazon to inquire about her order. So, she opened a web browser and typed amazon.ca phone number in the default search bar. When she pressed enter, she received a google search results page that showed a bunch of options for amazon.ca customer service. This included a malicious (bad) customer support website. Unfortunately, my mom clicked on this link, and that’s where the fun began.
The link she clicked on was a phishing page (as per wikipedia: Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.). The link she clicked on went to a compromised website. The website had been designed to look exactly like amazon.ca and it had a blurb on the page with their phone number.
Unwittingly, she called the number on the malicious webpage. The helpful customer service rep (let’s call him Nedry, named after the inept hacker from Jurassic Park) that answered informed her that her amazon account had been red flagged. Nedry said someone else was trying to get into her account. He said not to worry though as he could help find out who it was and clear it up for her.
Nedry then instructed her to go to a website (citrixonline.com – a legitimate website with a legitimate app) and download an app so that they could connect to her computer. This first app wouldn’t install on my mom’s super old computer. This almost stumped Nedry, as he had to call on his supervisor to help up his game and keep my mom on the hook. His supervisor suggested using LogMeIn123 instead (another legitimate website and app). Luckily for Nedry, this second effort kept him in the game.
Once my mom downloaded and ran LogMeIn123, she connected with Nedry and gave Nedry control of her computer. LogMeIn123 provides the ability for you to share your screen with someone else and then that person can do anything on your computer.
And this is where Nedry really got to show off his stuff. Here’s what he did:
He opened a terminal window and continued to show my mom what was wrong with her computer by typing these commands:
All of the above commands spit out a bunch of fancy stats and other confusing data to the uninitiated. Nedry showed my mom some of the data and explained that it was the virus taking hold and making a mess of things.
He told her that she had a bad virus on her computer. He said she had something called Torpig. He opened a web browser and went to the Wikipedia entry for Torpig. He read enough of that entry to my mom to really scare her.
Then he used google to search for a website called “geektyper”. He then opened the site directly: GEEKTyper.com – Hacking Simulator. The tagline for this website is “HACK LIKE A PROGRAMMER IN MOVIES AND GAMES!” It has a subsite (geektyper.com/scp) that looks SUPER legit if you’ve ever seen a scary hacking movie.
He even showed her THE GUY that was doing this to her computer!
The he told her that this virus was so bad that it was everywhere in her house: it was on her computer, it was on her TV, it was on her ipad – it was on EVERYTHING!
Quick side note: I’m actually really impressed with Nedry so far. As far as social engineering goes, this guy is making all the right moves… If you’re trying to hack my mom.
And this is where things went downhill for Nedry. He had been laying things on really thick up to this point. He had my mom convinced that something bad was happening. He had ratcheted up the drama sufficiently to scare my mom. But now he had to go in for the close. This is the part of the scam where he brings home the bacon.
He explained that my mom would have to take her equipment to a local computer repair shop. But not just any shop would do. Nedry told my mom that she would need a “Level 6 Certified Anti-Hacking Network Professional”. (This sounds pretty serious! I work in IT security and I’ve never heard of these guys! They must be really hardcore!) Luckily, one of these technicians is located quite close – in Ancaster! However, my mom would have to take all of her equipment to him – her computer, her TV, her ipad, EVERYTHING. This was really stressing my mom out.
But then, like a white knight, Nedry offered to come through in the clinch: he said, but wait! There’s another way. Are you over 45? My mom said yes. He said you’re in luck! He has an offer for people over 45. He can help you remotely to fix your problem and you won’t have to take your equipment anywhere. (what a guy – this Nedry certainly seems like a super hero, doesn’t he!)
And it was at that point that my mom made me proud (kinda, even though she’d already given up control of her computer to this goon): she said, “no, I will get my son to look after it.” As soon as she said that, he got nasty and said, “I’m not helping you. I’m done.” My mom asked him to take all of the stuff off of her computer and Nedry replied, “Turn it off. I’m done.” Then he hung up.
Poor Nedry… he thought he had caught a live one and was just reeling her in. But at the last second, she cut the line and escaped. He must have been pretty pissed because he had spent so much time reeling her in. I almost feel sorry for the guy. Almost.
That’s when my mom called me. At that point, I told her to unplug the computer from the wall and I’d come by and see what had happened.
I stopped by today and replayed what happened to my mom based on her story and the evidence on the computer (web browsing history, system logs, diagnostic info, etc.). I was able to restore her computer without a great deal of effort, but I’m still debating on rebuilding her computer from scratch just in case Nedry did or installed something that I didn’t catch in my analysis.
Regardless, Nedry certainly messed up my mom’s week (no computer from Monday until Friday as she waited for me to come check out the damage), and it messed up my Friday night too to take care of this mess. So yeah… thanks Nedry, wherever you are.
Is there a lesson to be learned from this? For sure… there are at least three:
Be careful where you go on the internet: Make sure the sites you visit are legitimate. Check the URL in your browser – if you’re trying to find amazon.ca’s customer service phone number, make sure the URL of the site is amazon.ca.
Don’t let people you don’t know connect to your computer: No matter what! When in doubt, everyone knows someone who is computer savvy and who can help out in a pinch (spouse, cousin, grandkid, neighbour, etc.). Even if you have to pay some kid in your neighbourhood $20 to check it out, that is money well spent if it helps you avoid being scammed.
When in doubt, walk away: If you find yourself stuck in the middle of an uncomfortable scenario like the one I described above, just walk away. Hang up the phone, turn off the computer and call your local tech-savvy friend to help you out. And, if you’re worried about offending the person, just mention that your <friend, son/daughter, neighbour, etc.> knows this stuff and you want to check with them. I’m pretty sure the person on the phone will get belligerent, which is a great indication that you’re talking to someone you shouldn’t be.
And note that this scam also occurs as a cold call from time to time. Someone will call you claiming that they know your computer is infected. Don’t fall for that one either! Again, use common sense and don’t let these scammers into your computer. If you’re nervous, call on your local techie to talk it through with you.
These people are relentless. They succeed with their scams often enough that it is a very lucrative trade for these scammers. And they can be quite convincing. But the best defense against them is awareness and common sense. That’s why I’m sharing this – I battle this kind of scammer every day in my day job and I’m getting really tired of it. Their techniques are so low tech and they aren’t even very good – they simply circle the pack and pick off the naive people using smooth talk instead of using sophisticated hacking skills. Awareness is a great defense and this is part of my way of fighting back against these folks.
So yeah… it was a bit of a wasted night for my mom and I. I would have rather sat with her for the evening and visited. Instead, I spent three or four hours piecing things together and documenting this story to share with you.
But I did get to stop in for a visit and I got a Swiss Chalet dinner out of it so I guess the evening wasn’t a total bust. 🙂
How about you… have you been scammed by these people? Did you get caught up in it or did you avoid getting scammed? How’d they affect you? Do tell in the comments below!
SC Congress is coming up fast. The conference is next week! If you don’t have your ticket yet, I’m here to help. The team at SC Magazine has given me a unique opportunity to pass on to you:
free Expo Only VIP Passes ($150 value) – simply register using promo code “DOWEXPO”; and
a chance to win one of five VIP Two-Day Full Conference Passes ($1,295 value);
Here’s the deal:
Each free Expo Only Pass provides you:
Network with 1,000 cybersecurity luminaries and peers
Learn valuable insights for safeguarding your organization during our five Keynote Addresses
Attend one additional session of your choice
Visit leading brands in our Exhibit Hall
Participate in SC Congress’ signature Passport to Prizes program: network for a chance to win a hot, new gadget
Earn up to 5 CPE credits – just for attending our sessions
Also, SC Magazine has given me five VIP Two-Day Full Conference Passes to give away. To be entered to win one of these five tickets, here’s what you need to do:
Register for a free Expo Only VIP Pass before next Monday morning (May 30); and
Tweet the following: “Got my free Expo Plus Pass to @SCCongress Toronto June 1/2. Get yours & chance to win a VIP pass at toddhdow.com #infosec” (We’ll accept a similar shoutout on Facebook if you aren’t on Twitter); OR
Sign up for my newsletter here at toddhdow.com (link);
Email me at toddhdow [at] gmail. [dot] com to let me know that you’ve completed the above steps;
And yes, if you have previously registered for an Expo Only pass and you want to upgrade, just tweet or share on Facebook or sign up for my newsletter and you’re all set.
Do you ever get to the grocery store and forget all of items you came to get, or miss a step in something you’re doing, or do repetitive work and sometimes lose your place? The results are inconvenient, but not catastrophic. It’s a far different story when you’re test piloting a brand new state-of-the-art airplane or landing on the moon. The Simple Genius of Checklists, from B-17 to the Apollo Missions provides a brilliant articulation of the importance of checklists. If even surgeons (who are pretty smart) can use a checklist to help improve patient safety, why would anyone think them a waste of time?
Oops for this week: Hacked forensic firm pays ransom after malware attack. As The Guardian and BBC report, “Britain’s largest private forensics provider [Eurofins] has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack.” Eurofin “carries out DNA testing, toxicology analysis, firearms testing and computer forensics for police forces across the UK.” It’s probably bad for business when a company who does work for the police gets hacked and held for ransom. On the other hand, if companies associated with law enforcement can get hacked, what chance do people like my mom have?
Oops – part 2: 
New Raspberry Pi 4
Speaking of startups, I stumbled across this book online: 
My mom got scammed online earlier this week. This is the second time in a year that someone close to me has gotten burned by a scummy, sleazy, no good, prey-on-the-weakness-of-others-rather-than-get-a-real-job jackass. And it is so annoying!
She ordered some stuff from Amazon.ca a few weeks ago and her order was taking forever to be delivered. She wanted to call amazon to inquire about her order. So, she opened a web browser and typed amazon.ca phone number in the default search bar. When she pressed enter, she received a google search results page that showed a bunch of options for amazon.ca customer service. This included a malicious (bad) customer support website. Unfortunately, my mom clicked on this link, and that’s where the fun began.
Unwittingly, she called the number on the malicious webpage. The helpful customer service rep (let’s call him Nedry, named after the inept hacker from Jurassic Park) that answered informed her that her amazon account had been red flagged. Nedry said someone else was trying to get into her account. He said not to worry though as he could help find out who it was and clear it up for her.
Then he used google to search for a website called “geektyper”. He then opened the site directly: 
He even showed her THE GUY that was doing this to her computer!
Todd H Dow 