The Con Artists Are Back: Part II
IT’S NOT PARANOIA IF THEY REALLY ARE OUT TO GET YOU!
I had the pleasure of attending a Cyber Security Conference recently and the opportunity to hobnob with my fellow wizards. Not surprisingly, several panel discussion members pointed out that about 33%, one third, of all successful attacks on computer systems from single users to large networks are the result of successful social engineering. This runs the gamut from fraudulent phone calls looking for data or scaring you into sending prepaid cards somewhere, to phishing (pronounced fishing) email attempts which look for usable personal information or a means to enter your computer in order to do future damage, to masquerading as someone who has authority to move money and demanding funds be moved. The latter group is causing some concern.
The original Nigerian Prince scam was the brain child of some unemployed computer geniuses in, where else, Nigeria. Since those heady days of awaiting a fortune to show up in your bank account scammers and hackers have become more patient. In attacking a network, the cyber ne’er do wells will often spend over a year exploring a large computer network before putting a plan into action. They take the time to read emails and discover the linguistic patterns of the writers. They learn where the money is and how much they can con away beforehand. They go through great pains not to be discovered. It is unknown how long the Target system was infected before credit card numbers started to be compromised. And what still boggles the mind is that this is the day job of the current crop of hackers.
So, what to do? The number one thing to be done, which is also the number one pain in the neck, is to change passwords regularly -- and use different ones. Swapping between 3Stooges and MoeLarryCurly no longer works. Use numbers, symbols, capital and small letters. A short phrase works better than a single word. B@nanasHav3Appeal! (Bananas have a peal!) fits the bill and is easy to remember. Something like that works well (and no it is not my current password). This goes for computer logon, email and online accounts. Next, be aware of what your accounts have in them and if any activity has happened on them that is not yours. If you can get a security identifier, a unique six digit number, sent to your cell phone in addition to the password it is a good idea. I know it means checking them more regularly but such is the price we now pay for this electronic convenience.
The other current concern is the raging epidemic of ransomware. This is an insidious group of viruses that encrypts your data and leaves a note on the infected computer on how to purchase a few hundred dollars in bitcoin and send it to the blackmailers in order to get the encryption key to unlock your data. It pains me to say this but they are in it for the money and do what they say they will. They cannot risk a bad (?!?) reputation and some of what I know about them, they have a surprisingly responsive and good help desk to effect the transfer of your money into theirs. The FBI currently advises against paying the ransom because it only encourages this scurrilous behavior. A good backup of your data is the sure way to not have to pony up the extortion money. And as soon as an infected computer is noticed, disconnect from the network to prevent the infection from spreading.
Finally, at work, we have to be as careful with our computer networks as we are with all of our other important tools and equipment necessary for us to do our jobs. Our clients’ personally identifiable information (PII) is now a valuable commodity on the black markets of the Cyber world. While we don’t have to shut down the computers, we do need to be cautious. Make sure the email is legit, don’t click on the unknown links or the click bait on the bottom of the web page, and wait until you get home to check out the cute cats. And I’m sorry to inform you but the Nigerian Prince is not going to send you any money.