Privacy

Deciphering The Legitimacy of an Email

by at

Cybercriminals utilize a wide variety of tools and tactics. By far the most popular tool one is the use of email. Criminals like to use email in part since it is very easy to spoof an email and email address.  There are even free sites that let you send one-off emails using a spoofed or custom disposable email addresses.

However, much more importantly for the cybercriminal it is even easier to get the recipient to believe it is legitimate.

There are ways to help to decipher an email since most of the email tactics used by cybercriminals do leave traces that help in determining if the email has been spoofed. To uncover these traces one needs take some time to break down the message.

The basic email header contains information such as From, To, Date and Subject and the full header will contain detailed information about where the email came from and how it was routed. The body of the email and attachments can also help to provide additional traces that help to determine the email’s legitimacy.

Over the next series of posts I will be breaking down the content of an email to help to decipher the legitimacy.

Blood Sucking Hackers

by at

On June 3rd, Quest Diagnostics filed a report with the Security and Exchange Commission (SEC) stating that  it was notified on May 14th that between August 1, 2018 and March 30, 2019 an unauthorized user access to American Medical Collection Agency (AMCA) system that contained information received from various entities, including Quest Diagnostics. The information included credit card numbers and bank account information, medical information and other personal information of approximately 11.9 million people.

The very next day LabCorp filed a similar brief with the SEC stating that the AMCA informed them that it is sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed.

AMCA is third-party collection agency that stores information such as first and last names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of services, health care provider information, and the amount customers owe. The information AMCA received comes from a company called Optum360,  a revenue cycle management provider. No information about lab results is passed on to the AMCA. Both Quest and LabCorp have suspended business with the AMCA.

The question most consumers are probably asking themselves is when they will be notified. Right now there is a lot of finger pointing. The laboratory companies systems were not breeched and neither were Optum360’s. The challenge is that while those companies appear to be committed to keeping all relevant parties informed the AMCA has not given them any specific information about the individuals impacted.

Are Your Online Activities Being Tracked? (Spoiler: Yes)

by at

Ever do a search on Amazon and then have the same exact product you were looking at pop-up as an ad on a web or social media site? The reason this happens is in part to the fact that most Internet web-based services and Internet service providers actively monitor your network traffic.

This is not as nefarious as it seems but your browsing habits are for sale and are highly valued by retailers and marketing companies. Very often an individual actually has consent to some level of  tracking by simply agreeing to use a service. Still, there are ways you can limit what information about your online habits that your web browser is exposing.

One quick way is by using the Electronic Frontier Foundation’s (EFF), a San Francisco-based digital-rights advocacy group, site called Panopticlick.  This site evaluate’s your web browser’s privacy quickly and non-invasively and then provides suggestions on how to limit the about on information which is leaking out.

The EFF provides a description of  Panopticlick in a blog post. What Panopticlick does is to check your browser for four types of browser security. Does the browser:

  1. Block tracking ads, which harvests information from your browser without consent.
  2. Block invisible trackers, which are protocols sites implement to harvests user data, again without consent)
  3. Allows ads and scripts from third parties.
  4. Blocks fingerprinting, which identifies a user based on unique browser data.

While there are plenty of browser exertions out there that help to block trackers, the EFF promote their Privacy Badger. It should also be noted that Panopticlick site only scans for those security issues the Badger mitigates. Still, using the EFF scanning service and the extension is a great start to better privacy!

What is Multi-Factor Authentication?

by at

The traditional method for accessing online systems is through the use of a login name and password. An active online user may have hundred login / password sequences to remember. Trying to remember of those sequence inevitably leads to people using the same login and password sequence or writing them down somewhere.  Sometimes over, and over, and over again. Once could call this single-factor authentication since one only really needs to remember the password associated with an email address.

The problem with single-factor authentication is that to remember passwords people generally use stuff they know like people’s names, dates, etc. This puts a person at risk since if the credentials for one account are discovered then access to multiple online accounts is a click or two away. To help individuals protect their online accounts an increasing number of providers have implemented alternative authentication methods.

Multi-factor authentication is a method of confirming a user’s identity only after successfully presenting two or more pieces of information from independent categories of credentials  – factors – as a way to confirm their identity. These factors may include knowledge (high school mascot?), a possession (a phone to call), and inherence (biometric info like a fingerprint).

Two-factor authentication is the more commonly use subset of multi-factor utilizing a combination of only, you guessed it,  two factors. An everyday example of two-factor authentication is using an ATM. ATM’s requires a correct combination of a bank card (a possession) and a PIN (knowledge) to allow a transaction. A popular two-factor approached used online involves sending a unique code to the phone paired with your account or using a code generator like Duo.

To protect oneself one should take advantage of two-factor and multi-factor authentication if an online provider uses them. They are reliable methods of verification. If neither are available, consider using a Pass Phrase rather than a simple password

 

What is this GDPR Thing and Why Should I Care?

by at

You may have seen a flood of updated privacy policies from your online service providers flooding your in-box over the past couple months. These are the direct result of new data privacy laws, the General Data Protection Regulation (GDPR) taking  effect across the European Union (EU) today. These laws provide consumers with more control over their personal data.

What Is It?

GDPR was ratified in April 2016 and establishes a single set of personal data protection rules across Europe.  Companies and online service providers outside the EU are subject to this regulation when they collect data concerning any EU citizen. Personal data is defined as any information relating to a person who can be identified directly or indirectly including information that can be linked back to an individual. There is no distinction between personal data about an individual in their private, public or work lives.

Companies will be required to implement appropriate technical and organizational measures in how they handle and process personal data. Data protection safeguards must be appropriate to the degree of risk associated with the data being collected and held. If there is a data beach and any of the laws were not properly applied fines could be as high as 20 million Euro or 4% of annual revenue, whichever amount is higher.

Since US companies with EU citizens as customers must follow DGPR laws US citizens may benefit from the laws.

Why Should I Care?

The theft or accidental disclosure of an individual’s data by an online service provide exposes that individual to any number of potential issues. The intent of the law is to provide individuals with more control over which data on them is being collected and places significant restrictions on how companies manage data to reduce of eliminate that exposure.

Under GDPR companies obtaining data from individuals must detail the purpose of data and how it will be used, if the data will be transferred internationally , how long it will stored. Individuals retain the right to access, lodge a complaint, or withdraw consent at any time. They also have the right to be forgotten. The data must be erased if it is no longer needed for the reason it was collected.

If any company experiences a data breach, they must notify the individuals whose data was stolen must be informed with 72 hours. This is in contrast to many more recent security breaches which come out in the news months later.

Another part of the regulation requires that consent for the company to collect data must be given by the individual by a clear affirmative action. This consent does not need to be explicitly given and can be implied by the person’s relationship with the company. Any data being collected and retained must be for specific, explicit and legitimate purposes.

Resources

Russell and Fuller. GDPR For Dummies. 2017. Wiley & Sons.

 

Want to Delete Your Facebook Account? Not So Fast ….

by at

Many people that decided to quit Facebook after the revelations over the data sharing practices of some of their partners. What some have learned when trying to delete their account is that it is not as simple as hitting the delete button.

To permanently delete Facebook account:

  1.  Select Quick Help in the top-right corner, then Search.
  2.  In the Search field enter delete account.
  3. Select How do I permanently delete my account? from the search results.
  4. You will be given you instructions to “log into your account and let us know.” Select the let us know link.
  5. Then follow the steps: Enter your password and solve the security captcha.

The thing to remember is one just  makes a request to delete an account.  Facebook delays the process and will automatically cancel a request if the account is log into during that time period.  Make sure to delete the app from all devices since if one of them access an account will cancel the request.

Deactivation

The alternative to deleting an account is to deactivate it. After one deactivates their account everything goes back to normal the next log in, as if nothing has happened. Deactivating is not the same as deleting. Deactivating one’s Facebook account simply hides information from searches and Facebook friends. Although nothing is visible, the account remains intact on Facebook’s servers.

  1. Go to settings and click General.
  2. Select Manage your Account.
  3. Select Deactivate your Account and type in your password.
  4. You will be shown  photos of “friends” you’ll miss (“Eric will miss you”) followed by a survey to detail reasons for leaving.
  5. After all that, select Deactivate.

 

Resources:

https://www.wired.com/story/how-to-delete-your-facebook-instagram-twitter-snapchat/?mbid=social_twitter&mbid=social_twitter

Email: The Cybercrime Gateway

by at

Billions of email messages are sent each day.  The ease of use, speed of transmission, and relative anonymity of email has made it a tool for cyber criminals. One survey indicates that 91% of all cyber crime starts with an email.

Using email to commit cybercrime is almost as old as email itself. While there are many ways email can be expoited, here are the more common ones:

Phishing

The term Phishing is a generic term used to describe the very broad category of email techniques used by cybercriminals. Future posts will go to Phishing techniques in greater detail.

Scamming

Based on the centuries old Spanish Prisoner, the infamous Nigerian 419  email scam of the 1990’s is still alive and well in one form or another and is a classic phishing scam. It involves promising the potential victim share of a large sum of money, in return for an up-front payment. If someone actually makes the payment, the scammer either invents a series of further fees for the victim to pay or simply disappears.

Spoofing

A spoofed email is one that appears to originate from one source but is actually sent by another. Like Neighbor Spoofing, falsifying the name and / or email address of someone the receiver is likely to know increases the odds the person will respond or take requested action (check out funny joke in the attachment!) It is actually not too difficult to spoof an email adddress using relatively simple tools.

Spreading Trojans, Viruses and Worms

Emails are perhaps the fastest and easiest way to spread malicious code. For example, the Love Bug reached millions of computers within 36 hours back in 2000,  all thanks to email. Cybercriminals will bind the malicious code in e-greeting cards, fake virus patches, et and email them in messages which are written in a way to make the reader feel like immediate action is required.

Attachments

Attachments are a very common way to spread malicious code. The rule of thumb is to open only those attachments that you are expecting – even if coming from someone you know (remember: email address spoofing!). File names can been spoofed as well so that an attached file that is actually a computer program can look as though it is a simple word processing file. If you are unsure, contact the person and ask if they sent it.

Links

Don’t immediately click on the link(s) in emails. Keep in mind email spoofing since a message may look like it is coming from someone you know! Hover your curser over any links to double check if the destination URL is what it’s claiming to be. To be extra careful, type out URLs manually instead of clicking links.

Getting SPAM Texts? Forward them to 7726

by at

The use of text messaging is a growing tool for marketers. Many texts are legitimate and originate from service providers you may have given your number to.  However, the number of SPAM text messages appears to be growing rapidly. According to the Federal Trade Commission, “It’s illegal to send unsolicited commercial messages to wireless devices, including cell phones and pagers, unless the sender gets your permission first.” The same would hold true for text messages that are sent from robo-callers.

If you’re receiving random messages from unknown numbers or entities it is probably illegal SPAM from someone phishing for information and trying to scam you. So, what can one do?

Report to your carrier

A little known service provided by most cell carriers is SPAM reporting. On an iPhone, select the spam message by holding it down with your finger. A menu will pop up. In the lower right, select More and then the arrow icon. This will create a new message that can be forwarded. On almost all carriers forward the message to 7726. Make sure to copy the phone number that send the message since an auto-reply may ask for it as well.  Why 7726? It spells SPAM.

Block numbers

On an iPhone, go to the offending text and press the “i” in the upper right-hand corner. That is where you will find the option to Block the number. There is no way for the robs-callers to know you’ve blocked them so they can send all the messages messages they want. There is one caveat. The blocked number can still leave a voicemail but you won’t receive a notification. You may notice voicemails piling up on you.

Resist the urge

You may feel the urge to reply to a SPAM text. Maybe you want to tell them how you feel. Maybe you love practical jokes and you want to mess around. Don’t.  Don’t even responding to their request that you reply “NO” to stop their messages. Engaging the sender in any way will make the problem worse.

*Don’t Press 1* : Neighbor Spoofing

by at

Odds are this HAS happened to you.

A call comes through on your phone. The caller ID  shows it is coming from the same area code AND the same

https://www.flickr.com/photos/mag3737/5982743771

https://www.flickr.com/photos/mag3737/5982743771

first three digitals as your phone number. Your first though is that it has to be a neighbor or someone in the community calling. Sometimes it is YOUR number calling you!

However, when you pick up it isn’t a neighbor. Far from it. It turns out top be someone selling an exclusive vacation deal – just “Press 1” and you will get a fantastic price! This technique, called neighbor spoofing, uses an automated robocaller that generate a fake caller ID number that will almost match your number.  It is an illegal activity to trick you into picking up and respond to their questions in an attempt to giving out or confirm personal information.

A robocall is a pre-recorded automated call, usually for telemarketing purposes.  While some robocalls are legitimate (emergency weather alerts), many calls can be predatory or deceptive.  In August 2017, the FTC issued a warning to Hurricane Harvey victims about a flood insurance scam in which homeowners were advised that their flood premium was past due. According to the Robocall Index, maintained by YouMail, 2.6 billion robocalls were placed in July 2017 alone! The FTC reports that robocalls are the top complaint received by the agency.

On the Do Not Call list? It doesn’t matter. The scammers are engaging in illegal activity so why would they obey the registry? What can you do? Unfortunately, the scammers will keep calling. But following the first two suggestions below are important in trying to reduce the number of calls.   

Don’t Answer

When one sees a number they think is a neighbor the first reaction / behavior is to answer since there may be a problem! However, by simply answering such a call thinking it is a neighbor may subject you to even more calls.  There is an underground market for phone numbers for individuals that pick up or respond to questions. Numbers on such lists on are used by robocallers with increased frequency.

Don’t Respond or Confirm

If you do pick up and you can tell it is a robocall, hang up right away. Do not engage the caller and certainly do not respond to any requests to press additional numbers. DON’T PRESS 1. Pressing any number, even if it is responding to their suggestion that doing so will take you off their list, only confirms your number is active and that they reached a live person.

Some people love to engage telemarketers for entertainment, but doing so may actually put you an their “call frequently” list.

Do Block

There is a reason it is called “spoofing.” It prevents you from knowing where the call is really coming from. It may be coming from out of the country! One approach is an block a particular numbers. However, by the time you do that the same scammers have probably moved on to a different number.  While it do takes a bit of work and is annoying, you could systematically block callers, even though it will seem like a finger in the dike approach.

 

What Information Are You Sharing with Facebook Apps ?

by at

The vast majority of Facebook users do it. We install apps built into Facebook and just click through all the questions without reading. We go to a website which are prompter to create a new account or “log in” with Facebook. Logging in with Facebook is easier since who needs yet another account to remember? How many times have you done this? You might be surprised. No. Shocked.

In both of these situations you are not granting access Facenbook itself to any new data, Instead you are granting access to your information by a third party.  According to Facebook, each app that you log in with you automatially agree to share at the very least your gender, the networks you belong to, your username and user ID, and your full name and profile picture. You also grant access to your full friends list and any other public information that you have included on your Facebook profile.

This issue is at the center of the Cambridge Analytica data scandal. The political research firm was able to access data on more than 50 million Facebook users through a third-party personality quiz application call “thisisyourdigitallife”, without the knowledge or consent of any of those users.

To see what apps have your data:

  • Select the drop-down menu on the top-right side of Facebook on the website or mobile appand select “Settings.”
  • Select the “Apps” option (on the left side of the page on the website. Scroll down the to the settings page on the mobile app).

This will display all the apps that you have granted access to and to which data:

If you wish to delete an app on the website hover over it and then the “X” button to remove. You may wish to do a little housecleaning on a regular basis and delete any apps you no longer use. Any data that was previously shared will still be in the possession of the app developer, however. They just won’t get any new data.

You can also manage the data sharing settings for apps you still want to use. If you select the pencil “edit” icon while hovering over the app you will see all the data options you are sharing with that app. Deselect data options any that you wish not to share with them.

The important takeaway is that you need to stay diligent and anytime you access a new Facebook app or use “log in with facebook” to immediately edit these options