The good - a new app called 'If this then that'
- If I haven’t hit my FitBits goal then name me and shame me on twitter.
- If I get close to home then open my garage door.
- If I’m tagged in a Facebook post then save the picture or flash my sitting room lights (Really! – Yep).
What have all of these got in common apart from you can live without them...
They are all IF THIS THEN THAT statements that link the things in our world in a way that suits us, some are trivial but some are kind of interesting.
IF I have a delivery due from Tesco THEN send me a notification is trivial BUT
IF carbon monoxide is detected THEN switch off heating is pretty usefull!!
Wire the things in your life your way at HTTP://IFTTT.com
The Bad - phishing
Phishing, vishing and smishing – why, to what end...
Beware the big flashing email with the button labelled ‘hack me please and take me on a journey’
If only it was that easy! The truth is that these types of attacks are superbly subtle and can often be indistinguishable from the real thing.
They WILL arrive a number of different ways, the most prevalent is email - gone are the halcyon days where the only spam you received was for cheap ‘enhancing’ pharmaceuticals...
Another vector is test message or even a phone call, the latter being less likely but equally dangerous as it plays on you politeness and inherently nice nature.
In whatever form they take these attacks have certain goals, the common theme however is to take your money although there are some key differences.
Like the aforementioned pharmaceuticals one type of attack will simply attempt to get you to buy a service or product that is almost certainly not required and if you saw it in a poundshop for half price you would scoff and walk away.
A classic example of this is the fake employee ‘From your Internets companees’ (bad spelling intended and should ring alarm bells) - or from ‘Microsoft’. Whoever they claim to be they will attempt to connect to your PC be remote WITH your assistance.
Once connected they will do a classic IT theme re-imagining of Dorothy’s first encounter with the Wizard of Oz and attempt to scare you into buying one of their support packages to rid you of all the nasty things on your machine, the truth is there is nothing on your PC and even if there was the money they are trying to extract from you will do nothing to fix it. At some point your instinct will twitch – Toto knows the Wizard is a lie, listen to your inner Toto.
This example is one of many and, confusingly, can be delivered using any of the mediums previously mentioned, it can even be placed inside of web pages as an invasive popup “Your PC is infected – Please call this number NOW” – ‘Woof’, yes Toto we know it’s all LIES.
A less interactive attack is the classic phishing scam, most will have heard of this but I’ll quickly recap. You receive an email from your bank, (who interestingly enough you don’t bank with) asking you to login immediately due to [insert random badly structured reason here]. From there you may be taken to a page that ‘looks’ like your bank where you are asked to login. At this point imagine Toto pulling at your leg, woof woof [don’t do it] – if you did login you would be met with a page apologising for ‘an error’ BUT ‘they’ already have your credentials.
If you are ‘lucky’ they will clear out your account then and there, perhaps a small amount at first but then a larger and larger etc. Eventually you are skint BUT you know about it, LUCKY, that doesn’t sound lucky.
That is the best outcome believe me, the alternative is less attractive by an order of magnitude. After the page above has an ‘Error’ you move on, IT sucks anyway right and never works - no biggie. Well at any point after that ‘error’ your credentials may be sold on and used for other nefarious reasons, they may be evaluated for relevance against OTHER online services (nobody uses the same password for ‘everything’ do they?), which will leave a varying footprint behind that you may or may not notice for a good while unless you pour over every line from your credit cards and other statements.
The reverse of this is true, the phishing attack may have targeted a less prominent account such as your Starbucks rewards card so your less on guard when you receive the ‘phish’ - same as above, but they now have a username and password pair that could be used elsewhere.
So far two types of attacks, delivered differently and targeting different areas - a common thread however of unsolicited and random communication preceding them.
The best defence is common sense, feel free to ignore things - IF they are genuine they know how to contact you by alternative means and IF they ask for credentials either over the phone or via any other means they are almost certainly ‘dodgy’.
The MOST worrying type of attack however is the ransomware variant, these send shivers up my spine as they are clever, evil and indomitable.
It’s nothing new really, I once remember a program going viral by email ‘back in the day’ saying ‘free cup holder – click here’. You clicked on it and it ejected your CD drive tray, ha ha ha we all fell about the floor and stopped working for 15 minutes, another variant when clicked turned your volume up to 100% and played “hey - I’m watching football over here” over your speakers - another 15 minutes of work lost!
These two ‘old school’ examples are poignant because YOU elected to launch the program and accepted the consequences, these days however you are tricked into launching computer code and you have NO idea of the consequence.
Virus programs no longer look to destroy systems and data as a rule, instead they infest your device and look to spread themselves onto other devices carrying their timed ‘payload’ as they go.
The payload of a virus you are likely to encounter with be either a zombification or ransomware type (there are others for sure ‘Stuxnet’ for example targeted the nuclear program in Iran…), these two flavours however represent the bulk of malware targeted at us ‘normal’ people.
Zombification is simply YOUR computer running malware that puts local resources at the control of a master ‘somewhere’ out there, why? Well it may simply record your keystrokes so could therefore obtain any username and password or personal data.
One other (common) use is to form a collective of compromised machines (tens of thousands – maybe more!) that can be sold for attacks, ever heard of a DOS or DDOS attack (Denial of Service and Distributed Denial of Service).
Between the 11 and 13 of January, Lloyds Bank was submitted to a DDOS attack that rendered it’s online services partially unavailable, the ‘distributed’ part of the DDOS acronym could by YOUR pc, that’s right Mr & Mrs hacker you could have helped bring down Lloyds ;).
Lastly, we have the ransomware attack, this little gem will contact it’s ‘master’ and begin to encrypt your hard drive - any will do, it’s not fussy and if it can see data it will encrypt it.
Whilst I advocate encryption to avoid data loss this action renders your data useless to YOU, if you are ‘lucky’ (there’s that word again and no you won’t feel lucky), you can contact these individuals and pay them some money - after that they may send you the decryption key and you can have your data back…
I say may because once they have you credit card details it’s not a leap to think they will hold onto that info and buy something else at another point in time, you may not even get your data back….
Doom and gloom
That’s all pretty depressing but there is a defence, all of the above require you to do something to facilitate the ‘event’ – the exception to this rule is where legitimate sources or systems have themselves been compromised although this is still a defensible position by regularly updating your system with both security and system updates.
So: (not an exhaustive list)
- Consider the trustworthiness of content from ANY medium at all times, if in doubt ignore it and if you are concerned take some advice from a relevant source.
- Keep your system and Anti-Virus up to date (an Anti-Virus or Anti malware program that is not up to date is not effective).
- Use different passwords for different accounts.
- Never divulge sensitive information over the phone or email, any legitimate company will NOT work this way. If a company calls you and requests you do a ‘security check’ then feel free to challenge the wisdom of that, you don’t know them as they called you but they they want you to confirm your identity…..?
- Keep backups and use remote/cloud storage - Malware can adversely affect systems and data, if you have a backup - who cares!
The Ugly - Fido net
Before the World Wide Web there was Fido net, this was pretty much your only option if you wanted to connect to others reasonably cheaply.
It was used for email as well as forums and could even host files and play online games.
All you needed was a Modem and permission to dominate your phone line to call a national call rate number at a few pence PER MINUTE.
And what do that look like.
Nuff said!