Online Security - "Danger, Will Robinson !!"

-

 I'm going to paint a picture, nothing more. 

 It's a small picture, but as you will understand, it's representative of a much bigger picture.

 

Some may call it "scaremongery".

I suppose it could be construed as such, but only in the same way they said wearing masks against COVID was "scaremongery".

 

Granted, for those who didn't/don't wear one, and were/are fortunate enough not to be visited by COVID, facemasks may still seem unnecessary, even paranoid, but for the many that find out the hard way that the risk is actually very real for them, whether surviving it or not, wishing they had listened sooner, is … too late.

 

Facemasks are a good analogy for our subject here, which also discusses balancing risk.

 

If you're familiar with the Chaos Walking books or movie, "Hide Your Noise" is also amusingly analogous, though the more ubiquitous "Shields Up" works just as well.

 

So, we'll start with the fact that you know that corporates have Insurance to cover risks.

 

They will seek, and consider having that insurance  only  after becoming both aware of that risk,  and confirming that they can't, 100% consistently, mitigate that risk.

However, that risk of loss simply cannot be ignored, and so, they insure against it.

 

You, yourselves, may or may not have Home Insurance.

If you do not have any purely for immediate financial reasons, and that were no longer a factor, would you have it?    Most would answer "yes, absolutely, of course".

And those of you that already do have it, isn't it because that risk of loss is too great, the consequences too unimaginatively negative, even to contemplate?

 

This Chapter is letting you know that there is a risk, a very real one, and a need for you to consider mitigation, and, in a manner, insure yourself.

 

Like COVID, it cannot be forecast who or where it will strike, but like wearing a facemask, you can reduce risk of exposure.

 

Also as with wearing facemasks, you can choose to ignore the risks after reading this if you so wish, using as little or as much of the information as you desire; I am not telling you what to do, nor am I your judge, you are entirely your own responsibility, but don't mind me whilst I advocate "Drive Defensively" to others.

 

You already know too that there are dangerous wee beasties such as Trojans and Malware, Keyloggers and the like, that you (may or may not) need active protection against.

 

You also already know that advertisers utilise cookies and behavioral patterns to sell you stuff.

 

You recognise (and may even grasp the nature of) terms such as Data Mining, Information Retrieval, Data Insights, Data Modelling and AI-Augmented, to name just a few buzzwords from the database industry.

 

Those advertisers, box-shifters and merchants aren't the only ones sorting you this way and that by type, seeking a "chink in your armour" to facilitate converting you from a prospect into a profit.

 

Whilst corporates are to an extent limited by the likes of GDPR, restricting information that they hold about you, criminals and other Bad Actors are not so constrained - not at all, in fact.

 

Nor are those who are prepared to play the system for the profits, who see (patently inadequate) fines as if mere operating costs to be met.

 

There are constantly growing databases out there populated with all manner of names and home/work addresses, with initial populations freely available via Yellow Pages, Electoral Rolls, Meet The Staff webpages, etc.

 

As time goes by, those databases accrue associated telephone numbers, email addresses, employment histories, salaries, and sooner or later, they pick up social media usernames, known associates (who knows you, who you know), and eventually a username & password or two to somewhere, perhaps gained via the many such lists bought and sold between groups.

 

Note that you and I can purchase some of these lists online too; used "for marketing purposes", no Dark Net needed … some are just random unconfirmed addresses, being the cheapest, whilst others are confirmed valid addresses, such as those that respond to spam emails, if only by having clicked "Unsubscribe".

 

Now, unless you're a high earner, it's a reasonable supposition that you will not be a target for having your bank account emptied.

But that's not to say you won't ever be targeted, whether for your bank account contents, or instead as a stepping stone to something more valuable that you may have access to. 

 

The "high value targets" are, of course, invariably within corporates, but as they improve their security protocols, they become the domain of bigger and more sophisticated gangs and campaigns.

 

Just like IRL, those lower down the criminal food-chain grab whatever's shiny, and if they can sell a few hacked low-level Minecraft logins for a tidy sum and minimal effort, that's what they'll do.

 

Gaming accounts can be rewarding targets in themselves, too, as folk spend, globally, $Billions every year on them, along with add-ons such as DLCs and Skins; so, a higher level account in a currently popular game, as you might imagine, sells quickly and for significantly more.

 

Somewhere else, someone is seeking to hack innocuous websites, so they can plant a Trojan or Keylogger, whilst someone else is sending blanket phishing attacks to confirmed email addresses, hoping to trick their way into folks' Amazon, or Neflix, or Paypal or (jackpot!) Bitcoin accounts.

 

Others still, might be checking which names on their lists also appear at https://haveibeenpwned.com/, with the nature of their being hacked perhaps revealing a vulnerability that they may fall for again, initiating targeted "spear-phishing" attacks or being added to an existing campaign.

 

The favourites though, consistently, are the email accounts themselves, because they are windows (no pun) to everything else.

Which is your contact/rescue email address for your bank, your Amazon, and your whatever else accounts?

How do you receive passwords to internal systems from IT or your Manager at work?

(rhetorical)

 

You (hopefully) already know that having the same password in two or more places is a very bad idea, and that 2FA (Two-Factor Authentication) should always be enabled where it's offered.

 

Remember those growing databases?

With the simplest of queries, we can know what the most common passwords is, whether unilaterally, at specific websites, in combinations, or however else we choose to parse the gathered data.

 

If your passwords are based on pet-names for example, I'll bet you have entered those names in a field on a webpage, or on a social media post, somewhere, sometime … criminals are not limited, either to or from where, they can seek and collate usable information.

 

Like "If you build it, they will come", if you provide an avenue to explore, they will.

 

For example, if you leave a weak, non-2FA protected password, to the most inconsequential (to you) of websites, even that you perhaps only visited the once, it's more a case of when not if, they will get in and, if nothing else, they will be immediately rewarded with a new target : your account's contact/rescue email address.

 

Pro-tip: Regularly check for unusual Account Rescue methods and/or Email Forwarding Rules being added to your online accounts.

 

Do not assume that just because they have access today, they will only "strike" today.

 

By quietly adding an Account Rescue alternative to your account, for example, they can return at their leisure (just in case you change your password in the meantime, though few ever do) … after all, it's somewhat pointless stealing the pennies remaining in your account from your meagre wages right now and thus alerting you, when they can bide their time for a bigger haul such as a tax rebate, lottery win, "stimulus" payment, proceeds from a car sale, Christmas bonus, or whatever else … and that Forwarding Rule they added to your emails, can and will let them know it's coming, and when you'll receive it.

 

In some cases, a larger gang may be grinding (putting in the hours, probing, doing the legwork - exactly as gamers do) on a specific corporate; you may be an employee of that corporate.

 

Right now, they just need a genuine login, and so far, their own spear-phishing attacks have been thwarted.

So they search the lists, and they "put the word out", and Bingo, they now have your previously hacked email credentials.

And now they'll be grinding on you, getting at your browser-saved passwords if they can,  looking at your history, your forms' autocompletes, and your social media posts for clues.

 

Maybe you shouldn't have proudly announced on Facebook about your new senior accounts position, thereby telling the Bad Actors en passent that you very likely have access to SAGE or whatever other accounts package, or maybe even web access to the actual bank accounts,  either/or facilitating them sending oodles of your employers' money to themselves.

 

Indeed, doing this can paint an immediate and large bullseye on yourself … you've effectively declared yourself Fair Game to them… this is where the "Hide Your Noise/Shields Up" analogy comes in.

 

Whilst all this may seem like a far-fetched plot from a movie, I assure you, it is happening, every day, to someone, over something. 

It's extremely rare, from your perspective, the chances quite possibly astronomical, but like winning the lottery, or catching COVID, one day, it could most certainly be you.

 

And, since we're here, and this too is not fiction  :  you are a perfect patsy to digitally cover their tracks and make it appear an inside job … all they need do is deposit an unusually high sum (for your account) at your bank, and, Behold, the finger doth point … create and delete a few dummy emails sent & received over several nights whilst you slept, and you too could inexplicably find yourself protesting your innocence from behind bars one morning.

 

Ultimately, it is for you to decide what trade-offs you make between security caveats and personal convenience  … I can only indicate "there's a risk" and suggest options.

 

But always remember it costs the Bad Actors nothing to persist, just as it costs them nothing IRL to break your car window to steal an umbrella, or the last chewing gum, or any other inconsequential (again, to you).

 

Finally, don't imagine for a moment that this lightning won't strike twice or more, if you permit it, indeed, you should entirely expect further attempts after a first success.

 

Whilst paranoia can be a useful, healthy tool in self-protection, please, don't needlessly go into panic mode … prudence and care is all that's truly needed.

 

"Drive Defensively".

 

Comments

Post a Comment

Popular posts from this blog

Passwords

-
Passwords are so often a frustration. We all know they are completely necessary, just like your front door key, but we seem to have ever-growing key-fobs full of them. At work there's websites and databases, and similarly at home, with websites and streamed services…it never lets up. Change your job, or the job changes IT stuff, and look, yet more passwords to remember ! Part of my job has always included password resets for Users that forget their passwords at work, particularly in the week following an enforced "Change Password Today", when at the last minute they chucked something in there "to shut it up" so they could get on with x, y or z. It happens. We're all very busy. I'm entirely empathetic. And, I know, it's all something of a PITA, but, it is now effectively a legal requirement in many countries to enforce strong passwords within companies, and to change them regularly, not merely for the security of a company's Fileserve...
Read more

Installing / re-installing Windows

-
 Microsoft have made clear that, in future, when something goes wrong with your Windows installation that you can't easily resolve (even with solid advice from wherever), from a technical perspective, "the easiest thing" is often  to rebuild Windows and re-install your products. Certainly, this is something advocated by most IT technicians when you are hit by malware or virus, since, like "nuking from orbit", it's the only way to be sure .   Indeed, in the corporate world already, there's a limit to how much time a technician might be permitted to spend on your otherwise trusty Desktop/Laptop before it moves into "too expensive" in man-hours, and the nuke button is pressed. For many of at home, this can be an alarming prospect.  Indeed, for some, you may just as well be asking them to perform open-heart surgery on themselves, such is the level of "daunting" it appears to them. And, of course, people become used to how they have their ...
Read more

Hello, Welcome.

-
I've had this account for years, sitting around doing nothing, but recently thought I'd start using it for posting PSAs of IT Support stuff I often find myself repeating on sites such as Reddit.     So it's not too dry, I'll throw in an occasional funny and/or home-made meme. Do come back for regular updates and new posts, there will be a new PSA at least monthly. Feel free to ask related questions in an articles Comments.   I will hopefully add Q&A pages later so you can ask me direct questions on other IT issues, though I'd encourage posting them on r/techsupport at Reddit if urgency is needed.
Read more