Security

Spoofing, Clicking, Hacking and You

Posted on August 30, 2013

Recently a friend of mine posted something on my Facebook wall that gave me pause. She said “I think you’ve been hacked. I just got a weird email from you. If it was from you, forget the ‘weird’ part.” While funny, it was also really concerning. Mostly because I try hard to have good passwords in place in most of my email accounts. And, since I work in the technology space, and specifically in internet technologies, it would be particularly concerning for me to have emails being sent from my accounts to my contacts potentially infecting them too. Needless to say, because of my profession, my blood pressure sort of increased. I immediately responded to my friend and asked about the email – but she was offline. So I sent messages to other friends asking if they’d received anything weird from me. No one had. I sent my friend who’d received the email an address to forward it to and I’ve yet to see it. But, it’s been a couple of days and no one else has reported anything weird. Which lead me to believe – my friend received a ‘spoofed’ email.

Spoofing is becoming a pretty common practice and I think it’s a good thing to know about. Especially since spoofed emails are usually trying to accomplish one of two things – they either want to scam you out of information or money or they want you to click on a link in order to infect your computer with something. Spoofing is simple – it is the sending of an email that appears to be from someone that it isn’t from. You can pretty much use anyone’s name, or any organization/brand name to send an email. Because the authentication protocols involved in sending and receiving mail do not require any authentication of the name associated with the email. To be clear, there are all kinds of spoofing. But it’s becoming more of a problem because it’s easier to just spoof a name and gain access to people, their money and their information. Think about it – if you are on Facebook you have a publicly available list of ‘friends’ that is viewable by criminals too. So spoofers can get the names of people you would recognize and trust, associate those names with emails that they send to you to gain access to your computer.

Here’s the thing though – more often than not you have to actually *give* them something for them to get to you. And you do that by ‘clicking’ – on links, on forms and filling them out, on images, on something. Most of the time viruses happen because we click on a link, and people gain access to our computers because we click on something to let them.

Just this week my friend and colleague, Matt Gray, clued me into the news about Miss Teen USA having had her webcam hacked. Turns out she was being watched and photographed through her own computer’s camera and she had absolutely no idea it was happening. I happened to channel surf into a morning talk show that was covering this story and they demonstrated how this ‘hack’ could have happened. The example they used showed a ‘computer expert’ sending an innocent family an email that said ‘your secret admirer has a message for you’ and beneath that was a link to click on. Sure enough the daughters clicked the link and voila – the ‘expert’ had visual access – he was watching them through their own cameras. And they had no idea. When the talk show wrapped up that segment their recommendation was – close your laptop or shut it down at night when you are not using it, or put a piece of electrical tape over your cam. I was disappointed that they didn’t recommend anything preventative.

Yes there are hackers in the world who spend their time trying to access computers and networks without anyone knowing. And yes there are scammers that are getting more and more sophisticated in their ability to fool us. They are trying to get into our homes — to break in. But we have to think about our home networks in the same way we think about the security of our homes. I don’t know about you, but I always tell my little boy, don’t let anyone in, or go anywhere with anyone, even if you think you know them. We need to talk about it first. And I think the same thinking has to apply to how we review emails and Facebook posts.

So here are some simple ways to decrease the chances of someone accessing your stuff, giving you a virus, or using your own webcam against you.

1) Don’t open emails unless you are SURE the email address matches one with which you are familiar. A name is not enough. If you have to – pick up the phone and call the person you received the email from. But if it looks weird – it probably is. Check the email address carefully.

2) Do not click on links unless you are absolutely sure of what you are going to view. A link hidden behind some enticing words should not sucker you into action. Again – if you need to confirm that your friend sent you some earth shattering video – ask before you click.

The New Facebook, Security and You

Posted on September 26, 2011

On Friday night I appeared in a very short segment on KARE11 — the local NBC affiliate — to discuss the most recent Facebook changes – most specifically ‘The Timeline’. It’s funny because that was the second time this week Clockworkers made the news for Facebook, and the third time total (Netflix made for some interesting chatter this week too. But that’s another story). We sure are grateful to our friends at KARE11 for looking to us for some commentary about Facebook.

And it got me to thinking. The reason Facebook changes keep making the news is because Facebook has managed to work its way into the most fundamental elements of our culture: it’s become a primary way in which we connect with other people. We conduct whole parts of our life online now, and Facebook is really trying to capture that. That’s what this Timeline thing is all about really—it’s allowing us to tell our “whole” life story as we see it.

But then that gets broadcast to a pretty broad channel of consumers, while all the details of the story (data, really) are being aggregated to tell new stories about us to brands and marketers. I’ve read that this has been Mark Zuckerberg’s vision all along: as people share more and more data about themselves online, Facebook grows in value. It makes perfect sense that his strategy would also include forcing people to share more—however intentionally or unintentionally—by making our privacy options around each piece of data less obvious. Because that’s really what happened here, right? People are freaking out because instead of being able to specify, in a very general way, what (like photos and status updates, etc.) we share with whom, now it seems like we have to specify who we’re sharing with every single time we update our status or share anything.

As infuriating as it is, it’s sort of genius isn’t it? Influence how we behave and then mess with the most subtle aspects of that behavior to get more information from us. Genius. Because the assumption has to be that the majority of us are too lazy to spend any time figuring it out. And there’s such an overwhelming amount of information that even if we aren’t too lazy—we won’t know what’s real and what isn’t anyway.

How can we possibly protect ourselves?
A couple of weeks ago the U.S. Department of Homeland Security, Advance IT Minnesota and Saint Paul College hosted a cyber security awareness forum focusing on online safety and security. I was fortunate enough to be part of a panel along with Dr. Christophe Veltsos, Faculty member in the Department of Computer Information Science at Minnesota State University, Mankato and president of PrudentSecurity LLC, an information security and privacy consulting company and Tim Fraser, Director of the Department of Homeland Security’s Stop. Think. Connect.^TM campaign. (There will be video available from this forum and I’ll be sure to post it when that happens.)

You may or may not know that October is National Cyber Security Month.
President Obama called Cyber Security a critical issue and “Stop. Think. Connect.” is an important message and informational campaign presented by the Department of Homeland Security and sponsored by a large coalition of companies and brands hoping to contribute to increased awareness and education of cyber safety in America.

My contribution to the forum was really around behavior and the psychology of online behavior. We (and I’m using the collective we—a pretty broad generalization, but I’m comfortable with it) have this tendency to act victimized by what happens online. We have this weird sense of entitlement around how our information should be handled. And because of the technology layer—or, what I like to call, the layer of mysticism—we seem to want to believe it’s too complicated and the real responsibility belongs to the owners of the technology.

But our information is so widely distributed (think about how many sites on which you have profiles or where you’ve made purchases or connected with friends) and the web and online communication is so imbedded in how we function that we can no longer really think like that. We have to be less complacent and see ourselves not as victims—but as proactive citizens of digital space. The web has been mainstream for over 15 years, and still I hear people acting as if it just showed up yesterday and it is impossible to figure out. The thing is, it’s not going to slow down. We’re not going to revert back to the way things were. We can’t just throw our hands in the air and leave technology and social tools to our children, or take the word of so many “experts” to heart. Most of those “experts” are just there because they are rolling their sleeves up and diving in—not because they have any body of knowledge unavailable to the rest of us. Experts are people that play around with and think about technology and these tools. That’s all. And it’s something we all can do.

Back to Facebook
You might be asking yourself how all of this relates to the recent uproar over Facebook’s latest changes. Well, it relates plenty. See, complaining isn’t doing us any good. Facebook has proven time and time again that we are low on the list of priorities when they make changes to how the tool works. Yes it started out being a social network for the people, but our interest and willingness to share our information made the business opportunity for Facebook so much bigger than us, the users. And we’re not paying for the service. In this capitalistic society everybody knows a business needs a business model, and this one is grounded in our willingness to share information about ourselves in order for marketers to talk to us about things that are of relevance—to us.

It’s one-to-one marketing: they present us with products and services that matter to us. And they know they matter because we’ve said so, in roundabout ways. By the pictures we post, the brands we “like,” the people we associate with, the activities we enjoy, the causes we’re into. Alone these are just bits and bytes. But together they become a very rich profile—a whole story. A life story that is constantly changing.

The biggest threat to our privacy and our security is not Facebook, or viruses or hackers or any of that. The biggest threat to our privacy and security online is us. It’s how we react to all of this and everything that’s still coming at us. And the bottom line is this: if we have concerns about what we’re sharing or how our information is being used, then we owe it to ourselves to get as smart as we can about how we’re using Facebook, or any service, really. Think of it as agency instead of victimization. Then own it. I said that in the KARE11 piece and I stand by it.

On the surface the Timeline feature that Facebook is preparing to roll out is really cool. It’ll let you customize the story that you tell about yourself in ways you haven’t been able to before. A bigger, richer more expressive image can be seen on your profile page. It’s sounding like the data you share will include the things you update today and tomorrow, in addition to the pieces of your story that happened before Facebook even existed. What’s more, it’s looking like you’ll be able to share content from other networks and applications to which you subscribe. If you integrate your Hulu account and your Spotify account and your Goodreads account (there’s not a lot of information about exactly what additional apps/integrations will be available once the new Timeline launches, so I’m guessing here), then your story will include the TV shows you watch, the music you listen to and the books you read. Add your internet radio stations, your photosharing sites, your recipe exchanges and so forth and over time you’ve got an interesting story.

What will this look like?
If you do what Facebook hopes you’ll do, you’ll get your whole life working for them.

There’s Bob! He was born in 1977. He went to Catholic school. He hated his uniform. He played high school football. He went to this university. He majored in philosophy and art history. These are his friends. These are his girlfriends. Bob volunteers for this really awesome nonprofit. Bob teaches at this really amazing school. Bob married this fantastic lady. Bob reads nonfiction mostly. Bob likes ESPN and comedy central. Bob like action films. Are you with me here? Bob is more of a whole person. He reads something and maybe his friends will read it too. If Bob is into a cause and he elevates it on his Timeline, it’s likely that a few people that subscribe to Bob’s life will contribute money or volunteer themselves. Bob, this complicated, multi-dimensional guy isn’t just connecting with friends any more. Bob is now influencing people within his immediate community. But then, depending on how his privacy settings work, Bob’s sphere of influence might be bigger than even he’s aware. Beyond that though, Facebook advertisers are able to customize Bob’s ad experience so the ads speak to Bob. Furthermore, that sphere of influence that Bob may or may not be aware of interact with the info that they are privy to and that interaction turns into data points in their stories.

Get it? If they like something about Bob’s story, whether they know him or not, they are saying something about themselves. It’s a crazy, viral cycle of behavior. Or maybe it’s just physics. The law of physics on the social web—for every action there is an equal and/or opposite reaction. As cool as this is, remember: Facebook isn’t forcing you to add any information you’re not comfortable sharing.

Take back your cyberspace
What are some of the changes and what can you do?

Third-party apps
Knowledge and awareness are power. What can you do right now to ensure your Facebook experience is controlled by you? First of all, Facebook can’t force you to add information about your life prior to when you started to update your daily status in the network. That is purely voluntary. The network is also incapable of forcing you to integrate any other networks or apps—they must ask your permission. That means you do not have to approve your friends being able to see your Hulu or Spotify or Goodreads activity. You can avoid integrating third party sites and apps altogether. And you can go into your settings right now and deactivate apps that you’ve already allowed to interact with Facebook.

Be mindful of what you click on. “Read” doesn’t just mean “read” any more. You could be broadcasting information passively because you’ve given prior permission to tell the world every time you listen to or watch or read something. But again—you have to authorize these social apps before they can say anything about you. But once you do—be aware.

Lists
Everyone is futzing about the changes Facebook made to lists. Oddly, very few people ever really used them before because they were hard to find and pretty unclear. Now’s your chance. If you used them before and Facebook messed with your lists—it’s do-over time. Take advantage. If you never used lists before—welcome! Facebook wants you to use them and they’ve made them more obvious to encourage you to do it. Lists are one real way you have to control who sees what information that you share. It feels like a daunting task to start categorizing your contacts—but, honestly, it’s now or never. You might as well dive in and do it. Once you’ve segmented your friends list you can actually just share something with your family and no one else will see it. But remember—you need to specify how you share every single status update.

Unfriending
There’s a little fuss about the fact that you can see who “unfriends” you. I’ve got news for you: we’ve always been able to do this. Just not through Facebook. But there were a couple of third-party apps that already allowed this functionality. My advice: get over it. Honestly, if someone dumps you, that’s called life. If you dump someone, be prepared to deal with the reaction. Nine times out of ten there will be no reaction. But for that one time when someone might actually confront you, that’s called human interaction and you can choose not to talk about it. Or save them from themselves and tell them they are posting too many pics of their awesome hair. Or whatever.

Sharing Your Friends’ Comments/Likes
People seem bothered by the idea that when they Like something on a friend’s wall or worse, if they make a comment on a friend’s post, that will get shared with or seen by people they do not know. This is true. This can happen. But I’m going back to my point about being proactive and encouraging Facebook users to find out how their friends share information. I have my privacy settings set to only share my friends’ comments and Likes with my friends. Not with everyone. If that’s not good enough for you – then do not comment on other people’s posts. Of course, that’s half the fun of Facebook. And honestly, most comments are so benign, as yourself if it really matters if they are shared. If it does – then talk to the people who’s walls you interact with the most and ask them to get specific about who gets to see that kind of information.

Tracking your every move
There’ve been some articles about how Facebook will be able to track you when you are not on their website. Welcome to the internet. There are a couple of things to be aware of here, the first—and most obvious—is think before you sign into other websites with your Facebook login. When you do that, not only are they tracking your behavior outside of their website, but they are probably broadcasting back to all of your friends. There’s also concern that Facebook can track your activity on other sites when you are not even logged in to Facebook. Again, a lot of websites can, and probably are doing that. There is data that is collected in your browser that can track how you behave in lots of ways. But it’s not totally personal, it doesn’t necessarily identify you the individual. But let’s say Facebook can. Maybe you want to consider using another browser for your social media activity. Instead of being married to Internet Explorer, try downloading Google Chrome or Firefox or Safari and use this secondary browser for things like browsing the web, shopping and reading interesting articles. One browser cannot communicate your activity to another and that keeps your Facebook experience totally isolated and somewhat more secure.

And on and on
There is a lot more going on. And perhaps we’ll talk about more of the privacy options and concerns in the days and weeks to come. There are ways to manage your privacy. But it requires more engagement, not less. Deactivating your Facebook profile may not be the right answer. Here’s why: a couple of years back Mark Zuckerberg talked about his vision for this network of his and described Facebook as a global “utility.” What he wanted was for this social space to be as necessary as your telephone or the electricity that powers your business. With 750 Million users connecting to each other and brands and business and other cultures via Facebook, he is definitely making that vision a reality. I don’t know, and I don’t care, if Facebook will be around in 5 years. But right now there’s no denying there is a certain dependence on the network. We (again the collective ‘we’) might actually *need* it to feel connected.

Where Zuckerberg might be failing is in not recognizing the power of a network that really is for the people. But hey, maybe that’s a future roll out. And by “future” I mean next week.

Let’s celebrate National Cyber Security Month by thinking and learning about Facebook and online security, not complaining. Celebrate by taking action and being empowered, not detaching. You’ll benefit from it, we will all benefit from it. Then we go back to happily sharing photos and posts!

Every Day is Cyber Momday

Posted on November 29, 2010

Today is Cyber Monday, the day when millions of shoppers set forth on the web to find unprecedented deals on merchandise. Retailers large and small are participating in Cyber Monday, either passively or deliberately. The truth is – Cyber Monday is a marketers’ dream. The day itself marks the beginning of the very concentrated holiday shopping season on the web. People are actively thinking about their holiday gift needs right after Thanksgiving and they return to work, and their computers, today. So essentially they are stealing time from their employers to shop in record numbers. And retailers are encouraging them to do it by coining the day – Cyber Monday. The next few weeks will see a significant upturn in web-based commerce. More than likely, in order to beat the traffic and the crowds, you’ll be buying a good portion of your holiday gifts and supplies online. While you’re surfing and shopping, though, criminals and mischief-makers are hitting the web in record numbers too. It’s more critical than ever to have some awareness of what you’re up against when it comes to protecting your data and your credit and to be somewhat prepared to counter the efforts of the (using a term my son uses often) ‘bad guys’ on the internet. If you’re new or still a little unsure about cyber shopping then this post is for you. Well, it’s not, it’s actually for my mother and everyone like my mother – those people wanting to jump into the excitement of web shopping but who still have a tendency to believe every crazy email they receive and click on every errant pop-up that dances across their screen. Here are some simple tips to help mom, and the entire family, stay just a little safer online this holiday season.

Avoid The Deal-In-A-Message
It’s hard to ignore the personalized notes that we receive via email or Facebook messages. You know the ones I’m talking about – those messages that come addressed to you and seem to have read your mind. They talk about a hard to beat deal and then include a link directly to a seemingly reputable website where you can purchase the item to realize these fabulous savings. These messages are generally a phishing scam. They trick you into believing you’re actually on the Amazon site (for example) and get you to share personal information and credit card data. They do this by using that link to take you to a website that probably isn’t legitimate at all. It’s unfortunate that something so simple can fool so many people. But don’t feel bad – the scammers are really good! They make the link look believable and the pages themselves could really BE real pages from (again for the sake of example) Amazon or Target. Here’s a not-so-secret secret, though. If Amazon is really selling your dream item at this unbelievable price you don’t need that link to access it. Visit Amazon (or whatever site the link claims to represent) directly – just type the website into your browser without clicking on a link. Once there, search on the item you want to purchase. If it’s on sale the search will reveal the sale-priced item. Don’t risk clicking on those links.

Be Wary of Links On Facebook
An added layer of security, and one you should have some awareness of is HTTPS – when you look at a website’s address it looks like this: http://www.geekgirlsguide.com. But a site that uses SSL encryption for server verification and to encrypt the transfer of data will look like this: https://www.geekgirlsguide.com (don’t click on that-it’s just an example). Start noticing the S. Look for it AND the padlock when you want to share data and make purchases. Check here for a full explanation of Hypertext Transfer Protocol Secure.

You might want to try to force a secure connection with every web interaction. You can do that by downloading and installing a plug-in that will do exactly that — literally force a secure connection with every (or as often as possible) website you visit. This is handy when you’re using public wi-fi. But it also helps to protect you from the danger of packet or data sniffing in which real criminals do engage. It is exactly what it sounds like – cyber thieves try to find holes in the data exchanges between your computer and the server where a website lives. They try to sniff out or grab any data they can that may be less than secure. Forcing this kind of connection is one additional way you can protect yourself from this kind of activity. One Firefox plug in that does this is Force TLS. If you’re a home user and you generally transmit data via an ethernet (or hard-wired) connection, this might be overkill. But if you use a laptop or other portable device and/or you tap into public wireless internet, do consider forcing that extra layer of security.

Choose Good Passwords
Security starts with you. In fact, your security starts with your passwords. The biggest favor you can do for yourself and your data is to select solid passwords. This means that you have to stop using your kid’s names, your dog’s names, your husband’s name. Start making up passwords that are truly hard to figure out. Longer strings of characters (letters, numbers and, in some instances, additional characters) — think about a 20 character password. I am not kidding. This is the primary thing that stands between you and criminals trying to get at your data. 20 characters might seem like a pain, but it’ll save you heartache and real true pain in the long run.

Many websites that require passwords help you rate the strength of your password when you create an account. There are also services online that are available via reputable brands and companies that provide a password strength rating service. Microsoft has one – search the Microsoft site and check your passwords to see if they are weak or not. You might be surprised at what you find.

Being safe on the web begins and ends with you, really. Understanding what to look for and hesitating when you have even the slightest doubt help you to avoid getting into trouble and losing your data to the ‘bad guys.’ There are no sure-fire ways to avoid being a victim of data theft. But the more you know, the more you can protect yourself.

Happy Shopping!