Don’t be the One

Cos I don’t wanna be the one
Only overjoyed
Yeah, I don’t wanna be the one
Making all the noise
Yeah, I don’t wanna be the one
From Be The One by The Ting Tings

In the last post the topic of  safe web browsing was discussed as an attempt to update earlier advice from circa 2008. So that should keep you safe on the internet. Right? Sorry. Unfortunately, browsing the web is only half the story. The other, and arguably more dangerous half, is the part where you are automatically directed to web sites by emails, SMS texts, QR codes and nowadays NFC tags. Most of the time these automated links are desirable and very convenient like when you want to find out about a new product or go directly to your bank site to check on your accounts. But what happens when the originator of these convenience links is a malicious impostor? In other words the email, SMS, QR code or NFC tag is a phishing attack. This can be especially serious when the phisher is pretending to be your bank. Because the payoff is potentially large, these fake requests from your bank can look pretty convincing. This post from Rob Waugh at the WeLiveSecurity blog puts it this way.

Technologies change, but cybercriminals will always dream up new ways to fool you into handing over your bank details – whether via phishing emails, SMS or by phone.

These days cybercriminals will use phone calls, SMS messages, emails – and even couriers – in an effort to get your money.  Many of these attacks can seem very convincing – at least at first.

To mash up P.T. Barnum, who is often credited with saying “There’s a sucker born every minute” and The Matrix, “You are the One, Neo“, [just go with me here] how do you avoid being the One? The key is to recognize stuff your bank will never do. Again from the WeLiveSecurity post:

The key to staying safe is to recognize behavior that isn’t quite “right”. Here are ten things a bank will never do – but a fraudster, phisher, or thief will.

Text you asking for details to “confirm” it’s you

Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords in a text. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number.

Give you a deadline of 24 hours before your bank account erases itself

Many legitimate messages from your bank will be marked “urgent” – particularly those related to suspected fraud – but any message with a deadline should be treated with extreme suspicion. Cybercriminals have to work fast – their websites may be flagged, blocked or closed down rapidly – and need you to click without thinking. Banks just want you to get in touch – they won’t usually set a deadline.

Send you a link with a “new version” of your banking app

Your bank will not distribute apps in this way – instead, download from official app stores, and ensure yours is up to date.

Use shortened URLs in an email

Cybercriminals use a variety of tricks to make a malicious web page appear more “real” in an email that’s supposedly from your bank – one of the most basic is URL-shortening services.

Send a courier to pick up your “faulty” bank card

The courier scam is a new one – your phone rings, it’s your bank, and they need to replace a faulty bank card. One of the new services they offer is courier replacement – and the bank tells you that a courier will arrive shortly to collect the faulty card.  A courier turns up, asks for your PIN as “confirmation” – and your money magically vanishes.

Call your landline and “prove” it’s the bank by asking you to call back

A common new scam is a phone call from either “the police” or “your bank”, saying that fraudulent transactions have been detected on your card. The criminals will then “prove” their identity by “hanging up” and asking you to dial the real bank number – but they’ve actually just played a dial tone, and when you dial in, you’re talking to the same gang, who will then ask for credit card details and passwords.

Email you at a new address without warning

If your bank suddenly contacts you on your work address or any other address than the one they usually use, this is [not right]. Banks will not add new email addresses [for you on their own].

Use an unsecured web page

If you’re on a “real” online banking page, it should display a symbol in your browser’s address bar to show it’s secure, such as a locked padlock or unbroken key symbol. If that symbol’s missing, be very, very wary.

Address you as “Dear customer” or dear “youremail@gmail.com”

Banks will usually address you with your name and title – ie Mr Smith, and often add another layer of security such as quoting the last four digits of your account number, to reassure you it’s a real email, and not phish. Any emails addressed to “Dear customer” or “Dear [email address]” are instantly suspicious – often automated spam sent out in vast quantities to snare the unwary.

Send  a personal message with a blank address field

If you receive a personal message from your bank, it should be addressed to you – not just in the message, but in the email header. Check that it’s addressed to your email address – if it’s blank, or addressed to “Customer List” or similar, be suspicious.

Email you asking for your mother’s maiden name

When banks get in touch – for instance in a case of suspected fraud – they may ask for a password, or a secret number. What they won’t do is ask for a whole lot more information “to be on the safe side”. If you see a form asking for a large amount of information, close the link and phone your bank.

Remember this, grasshopper: your bank already has your money so they aren’t that interested in spending any of theirs on unexpected communication with you – particularly something like courier services. The bad guys, on the other hand want your money and are willing to invest a little and try phishing thousands or millions of potential suckers hoping to find the One big payday. Your mission, should you decide to accept it, is to not be the One.

Note to self: Ease up on old TV and get out more.

Security For All First Birthday: Revisiting Technology generation gap

The #3 spot on the Security For All top posts list entitled Moving On, was about my experience as a Software Engineer at StillSecure on the eve of my departure for a new gig. If you have ever wondered about what it would be like to work for a cutting edge start-up in Colorado you should definitely check out the post. But since I don’t have anything to add or amplify in that post we’ll head straight to the 4th most popular post and revisit January 26, 2009 and the Technology generation gap.

The first occasion to get me thinking about this was when an older family friend was the victim of a fairly benign scam that essentially convinced her to forward some nasty political tripe to folks on her email list. Luckily no harm was done, other than embarrassing WTF responses from the message recipients. I was explaining to her that there are many unscrupulous people and other entities on the net that have no problem with misleading, lying and scamming anybody they can when she remarked that she thought it was “sad that you can’t trust people on the internet“. This remark kind of took me by surprise. I’ve always started from the assumption that internet content is not trustworthy. Not sad, that’s just the way the net works.

She was assuming that email was equivalent to handwritten correspondence from an entity that is known to you. While I was assuming that email is equivalent to bulk mail from an anonymous source. Now certainly there have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing. The point is that in my friend’s experience, a person who would lie, cheat or scam others was quickly discovered and was considered an anti-social aberration. And in general, you could trust most people. Not so on the internet, where there are no people to trust.

No people, as in actual living human beings, to trust. This has a number of other disturbing aspects that I take as a given but are shocking and appalling to my friend.

Actual humans are not directly responsible for a fair portion of internet traffic. Much of the content on the web is generated by bots or other automated processes. That’s why we have CAPTCHAs for everything from webmail sign-up to comments on blogs. Problem here is that the mitigation is often more annoying to older folks than the threat we’re trying to mitigate.

Another disturbing aspect is that web content generated directly by younger or more web savvy people can more accurately be attributed to their online persona. Think about it. Starting back in the early days of BBSs and propagated by AOL is the concept of screen name. Check out Facebook or YouTube – or even Security Bloggers Network and you’ll find a whole lot more “LonelyGirl16″ or “G@m3rBoy” IDs than “JoeSmith”. Be sure to check out the content that you find there. What you are looking at is performance art by the online persona of the author. Even here. What? You think I’m really this witty and urbane in real life? Well, okay maybe I am but the rest of those posers… But again I digress. The point is that my older friends treat email and social network posts as direct communication between themselves and other actual humans. They even use their real names. And give out real addresses. They don’t have an online persona, and don’t expect others to either.

Perhaps the most appalling aspect is that the allegory of the web most familiar to older people is print media. Newspapers and magazines. URLs are even referred to as web pages. Unfortunately this carries some very misleading and often dangerous assumptions. For example if a writer in People magazine writes “[hot Hollywood starlet de jour] is a slut”, People will certainly have to print a retraction and possibly face libel charges. But if Perez Hilton writes it in his celebrity gossip blog, well that’s just what Perez does. The point is that print media is held to a much higher standard of veracity than the web where anyone can post anything with very little chance of reprisal or responsibility. There are no standards of veracity on the web. Nor can there be. The dangerous part of this is that there are journalists and editors who don’t understand this. Recently sports publications and sports news outlets reported that Iranian football [soccer to us yanks] stars Javad Nekounam and Masoud Shojaei [who play for Spain] had been sacked due to an incident in a Pamplona nightclub. This story made the wire services and was widely reported. The source was a report on the Osasuna club’s web site. Problem is the site had been hacked and the report was bogus. You can read the real story here. Too bad – damage done.

The next occasion that caused further rumination on this subject was when I was helping my mom with a computer problem. She noticed that several names in her address book application were appearing out of alphabetical order. I diagnosed the problem easily – the names had leading spaces. Apparently the OS/X address book doesn’t do a trim on entry fields. So once I removed the offending space characters the sorting worked as expected. Try as I might, I could not explain this to my mother. She could not get her mind around the idea that a space character is ultimately a binary value like any other alphanumeric character. As far as she was concerned, when you hit the space bar on the keyboard it just “moves over” and doesn’t print anything. In other words a space is nothing. The absence of a letter. Kind of like electrons and holes from my EE days. A hole is where an electron is not. Therefore holes have a positive charge. Yeah like that.

Again I realized that we were having a fundamental disconnect. I’ve always realized that everything I see on a computer screen is an abstraction. At the lowest level it’s all just zeros and ones. Actually high and low voltages or positive and negative charges. Even the zeros and ones are an abstraction. The desktop and windows are an abstract paradigm. Not so with my mom. She sees literal windows or cute little boxes called windows when she looks at her monitor. She clicks on buttons, types stuff into forms and moves sliders up and down. It’s not abstract at all. It’s literal for her.

When you think about it, the information age introduced something unprecedented in human history: the central enabling agent. computers, inserted a layer of unreality between users and tasks. Stay with me here. Even relatively modern devices like telephones were intimately connected to the underlying task. Any abstraction, like say entering a phone number to connect to a specific party, was completely transparent – you entered in the number using a keypad or dial. Now look at my iPhone – a hand-held computer. I could still enter phone numbers from a keypad – a virtual, abstract, keypad – but I usually just touch the picture of the person I want to contact. And that contact can be SMS, IM, email or even a telephone call. Depending on the context of the underlying abstraction. The point is there are no actual walls in Facebook, no windows in Windows, no trashcan on your desktop and no desktop. Abstractions and allegories [or user paradigms if you prefer] all. Can’t wait for virtual reality? Good news – you don’t have to. Bad news – you probably don’t even recognize it.

Technology generation gap

Recently while helping older relatives and friends I had an epiphany about technology usage and age. Specifically older people approach technology with a completely different set of assumptions than younger people. Before you decide to file this under Well DUH! just hear me out.

The first occasion to get me thinking about this was when an older family friend was the victim of a fairly benign scam that essentially convinced her to forward some nasty political tripe to folks on her email list. Luckily no harm was done, other than embarrassing WTF responses from the message recipients. I was explaining to her that there are many unscrupulous people and other entities on the net that have no problem with misleading, lying and scamming anybody they can when she remarked that she thought it was “sad that you can’t trust people on the internet“. This remark kind of took me by surprise. I’ve always started from the assumption that internet content is not trustworthy. Not sad, that’s just the way the net works.

About the same time Bruce Schneier had this article wherein he reaches the following conclusion (emphasis mine).

The Internet is the greatest generation gap since rock and roll. We’re now witnessing one aspect of that generation gap: the younger generation chats digitally, and the older generation treats those chats as written correspondence. Until our CEOs blog, our Congressmen Twitter, and our world leaders send each other LOLcats – until we have a Presidential election where both candidates have a complete history on social networking sites from before they were teenagers– we aren’t fully an information age society.

When everyone leaves a public digital trail of their personal thoughts since birth, no one will think twice about it being there. Obama might be on the younger side of the generation gap, but the rules he’s operating under were written by the older side. It will take another generation before society’s tolerance for digital ephemera changes.

I realized that this was exactly the disconnect my older friend and I were having. She was assuming that email was equivalent to handwritten correspondence from an entity that is known to you. While I was assuming that email is equivalent to bulk mail from an anonymous source. Now certainly there have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing. The point is that in my friend’s experience, a person who would lie, cheat or scam others was quickly discovered and was considered an anti-social aberration. And in general, you could trust most people. Not so on the internet, where there are no people to trust.

The next occasion that caused further rumination on this subject was when I was helping my mom with a computer problem. She noticed that several names in her address book application were appearing out of alphabetical order. I diagnosed the problem easily – the names had leading spaces. Apparently the OS/X address book doesn’t do a trim on entry fields. So once I removed the offending space characters the sorting worked as expected. Try as I might, I could not explain this to my mother. She could not get her mind around the idea that a space character is ultimately a binary value like any other alphanumeric character. As far as she was concerned, when you hit the space bar on the keyboard it just “moves over” and doesn’t print anything. In other words a space is nothing. The absence of a letter. Kind of like electrons and holes from my EE days. A hole is where an electron is not. Therefore holes have a positive charge. Yeah like that.

Again I realized that we were having a fundamental disconnect. I’ve always realized that everything I see on a computer screen is an abstraction. At the lowest level it’s all just zeros and ones. Actually high and low voltages or positive and negative charges. Even the zeros and ones are an abstraction. The desktop and windows are an abstract paradigm. Not so with my mom. She sees literal windows or cute little boxes called windows when she looks at her monitor. She clicks on buttons, types stuff into forms and moves sliders up and down. It’s not abstract at all. It’s literal for her.

So what can I do with this insight other than blog about it? Well immediately I realized as I was trying to make the argument to my QA lead that a bug where the back end process was working correctly but the GUI was displaying incorrect state should not be serious was a definite loser. On a larger scale I am able to articulate what is wrong with our industry’s release fast and patch often business model. It’s fundamentally based on our customers trusting us. Which they should not. And they probably won’t when the next generation starts making the buying decisions.

Great stuff that never happened

Bury your memories bury your friends,
Leave it alone for a year or two.
Till the stories go hazy and the legends come true,
Then do it again. Some Things never end.
From “Eleventh Earl of Mar” Genesis

John Brandon has an article in ComputerWorld, Famous tech myths that just won’t die. Wherein he attempts to lay to rest some of our most treasured tech myths. Submitted for your approval is a concise list of those myths. And my brief comments. Seriously you didn’t think you were going to get off that easy did you.

  • Bill Gates dropped a $1,000 bill and didn’t bother to pick it up – Can you imagine the guy who ruled the Microserfs dropping a $1 bill much less not picking it up?
  • The iPhone 3G has a kill switch that Apple can use to disable the device – Actually it does. It’s called AT&T here in America. No wait, that’s a killjoy switch. My bad.
  • Internet2 will replace the Internet – Now this is just silly. Everyone knows the internet will be replaced by the Cepheid Galactic Internet.
  • PC gaming is dying or already dead – Just keep telling yourself this while you’re getting fragged online by newbs with an unfair advantage (a PC), X-box boy.
  • Apple is working on a MacTablet – What, the Newton wasn’t good enough?
  • Forwarding an e-mail has rewards of some kind – Only if you forward it from someone else’s account and can watch the comedic aftermath. And not get caught.
  • Al Gore said he invented the Internet – Well maybe not, but Ted Stevens discovered that the internet is “not a truck. It’s a series of tubes.” Which is a good thing since the truck couldn’t get to where it needs to go via another Stevens invention, the bridge to nowhere (actually that’s not completely true it could go to Gravina Island – population 50).

Come on John, the next thing you are going to tell me is that my long lost uncle really didn’t die in Nigeria and leave me millions. Just be that way.

Security ideas for your mom part 1

So here’s the scenario:

Your mom wants to get a PC so she can get email, check out those internets and use the google. She’s heard about all the nasty stuff out there like in those commercials with the little old lady speaking with the voice of a biker. So she knows it’s a dangerous world out there on the internets and knows she must get some of that security to protect her. Of course she calls you, since you use that stuff all the time at work. Oh … and she thinks those “I’m a Mac, I’m a PC” commercials are really cute and that a Mac would be great because it doesn’t get any of those nasty viruses.

Sound familiar? Thought so. So what do you tell her? How about, “Gee mom, sounds like what you really need is a good cell phone, not a computer” or “Sure, get a Mac and then you can be stylish while getting pwned“. Problem is, you like your mom and want to help her make the right choice. Other problem is that you also like your significant other and really don’t want to commit to a full-time tech support gig.

What you’ve just encountered is the fundamental problem in personal computer security. For years Bill and Steve have been telling us that a personal computer is an appliance, just like a television or a toaster. That certainly sells lots of PCs and Macs but the problem is that, well, it’s balderdash. Hogwash. Crapola. When you purchase your first computer you discover this right away. Ahh, but not to worry – Uncle Bill (actually Uncle Steve now) has you covered. They’ll automatically push out fixes (to stuff they built wrong!) to keep you safe and secure. Okay… But wait! There’s more! There are many companies out there just dying to help you be more safe and secure who can’t wait to get their hands on your money. So before you know it that spiffy new computer you bought runs like a bloated turtle and you get to pony up annual payments for that privilege. And are you really safe and secure? Maybe. Possibly. Who knows?

So let’s go back to the original question: what is security in this context? What are the risks that your mom will face online and how does she manage them? Can you really “buy security” (or lease it per current business models) to manage these risks? Hang on there, Hoss! You just listen to Uncle Joe before you turn over any of mom’s hard-won dinero. Here is the Joe’s official in order list of security ideas for your mom.

Security Ideas for Mom

  1. Think. Don’t be an idiot. The vast majority of cyber incidents that result in actual damage could have been prevented by a simple smell test. This covers a lot of territory, but basically it comes down to this – use common sense. Obvious stuff like, don’t open email attachments you weren’t expecting or can’t identify. Or if something pops up you don’t understand – find out what it is before you click on it. My friend, a computer novice, recently upgraded to get online. He had all of the stuff you are supposed to have including anti-virus software from a leading vendor (think yellow box). So he gets this browser pop-up while he’s surfing that says “Your computer is infected with a virus!!! Press this button to remove it and make your system safe!!!” So he does. And it does heinous things to his computer, including disabling his spiffy yellow AV. DOH! It’s time to put that PC out of it’s misery and start over. This ugliness could have been prevented had my friend, an otherwise intelligent person, just thought about it for a moment and asked himself one simple question: “does this seem fishy?” (the smell test!). But isn’t that a little harsh? I mean we already established that he’s a computer novice. No, actually, it’s a dandy segue into the next point.
  2. Learn how to use your hardware and software. Or stated in the reverse, don’t use something you don’t understand. What I’m not suggesting here is that mom should become a hacker just so she can check email. Look at it this way: I don’t understand the complete operation of the stability control system in my Honda, but I do know that when the “TPS (Tire Pressure Sensor)” light comes on that I better check and adjust the tire pressure, and if the light doesn’t go off when I’ve done that I should take it in to my local Honda dealer. (Honda – here is an excellent sponsorship opportunity). The point is that you don’t need to be an expert, you just need to know basically how the system works and what it’s trying to tell you. In the example of my friend of #1, Had he known what to expect from his AV software when it encountered a virus, he wouldn’t have been fooled by the phony. If you don’t understand what a program does, then you almost certainly don’t need it. But wait – what about all that stuff that comes with mom’s new computer? Isn’t the point of that to take care of everything so that she doesn’t have to know anything about computers? In a word, NO! The purpose of that stuff – which is mostly crapware – is to sell you more stuff you don’t need. You think the company who manufactured your computer has your best interest at heart? See #1. And once again another dandy segue into the next point.
  3. It’s your computer. You don’t have to run anything you don’t want. Mom needs to show that machine who’s boss – Yeah who’s your mama! The point here is that just because your computer came with XYZ security suite (one month trial!) and your internet service provider gives you ABC security suite (the “lite” version – but for a fee you can get the real version!) you don’t have to use either. Remember – who’s your mama! If you really want to use a security suite then do a little research (see #2) and check out the many excellent free and open source packages. Chances are you can get out of this without parting with more of your dough. But more to the point, choose your computer wisely in the first place. Most folks walk into their local electronics superstore and expect the friendly sales staff to educate them about what they should buy. Duh – see #1. Why not, instead, make the idea of computer as appliance your goal? Lets take this from the top: Mom wants to a. get email, b. surf the web, c. search for information (as translated from the earlier mom-speak). My iPhone does all that and much more. In fact my iPhone does way too much for what mom needs, so she shouldn’t spend the money. My son has a modestly priced smart phone that does everything mom needs. Both phones are totally cool and pretty easy to use and you can turn off stuff you don’t need. And both are quite a bit more like an appliance than your average PC. The idea here is that you should get something that does what you need and only what you need. Also, forget the idea that you should “buy something that you can grow with”. Balderdash. Hogwash. Crapola. Whatever you buy today is going to be landfill fodder in 5 years (actually 3 years if you depreciate it with the IRS). There is no rule that says you must be able to read email, surf the web, chat with your friends, edit photographs, make music and produce movies all on the same device. Despite what the commercials say. See #1. In fact, let me assure you as a semi-serious electronic music producer, I definitely do not want my studio machine to be surfing the web. Remember – who’s your mama! Yeah I have multiple machines. One to do email and internet-related stuff and, well, lots of others to do other stuff (I admit it – I’m a geek). But my email and internet box is old (like 8 years old!) and cheap and it does it’s one job really well. Just like a toaster. Don’t be afraid to look into a mini laptop. These babies are small, cheap and will do everything mom needs. So on to the next idea (which is really a corollary to #1). Sorry lame segue this time.
  4. Your friends are clueless. Sad but true. When mom starts getting email she will no doubt have friends and relatives who think that chain letters really do bring good luck and/or prosperity and everyone they know should be alerted to the latest (to them) internet jokes and inspirational (why are angels supposed to be inspirational?) ravings. These well meaning folks will grab onto an internet hoax or urban legend and spam every one they have ever known with it. Some of these will turn out to be phishing scams, or “manual malware” (e.g. “to defeat this evil virus that no AV software can detect remove the KERNEL.SYS file“). Bottom line is, mom should seriously suspect any content she receives from these lovable – but clueless – folks. Especially when they state “you must see this adorable …” – no you must not. But just in case mom refuses to believe that Aunt Helen would ever send her something nasty. I know this guy in Nigeria who really needs to get a bunch of money out of the country and he’s willing to cut someone in if they’ll help him.

So before this post gets (even more) out of hand, notice that these first – and most important – four ideas have nothing to do with which anti virus software is best, or whether Macs are more secure than PCs. They are about common sense. Which isn’t all that common. I’ll actually get into addressing specific risks when “Security ideas for your mom” continues in another post.