Showing posts with label spam. Show all posts
Showing posts with label spam. Show all posts

Monday, November 19, 2018

Exploits on the Internet





I received the above at my work email address last week.....

I have always been unimpressed with the idea of computer hackers for a number of reasons, the most obvious ones are contained in the above email.  Apart from the obvious extortion, their ability reach out and ruin the day for anybody through any number of mechanisms is a major problem.  I was concerned to some degree about the threat based on me watching porn videos because it would be fairly easy to make it appear that I did it using any split screen video app.  Some online research revealed that there is a hack for Mac cameras.  It might be easy to get a video of me on the computer and then pair it with any pornography video.  

My dealing with identity thieves illustrated how easy it is for criminals to remain anonymous in our society while average citizens deal with their mischief.  I was called at work by a very aggressive person working for a collection company who claimed that I owed them $10,000.  Investigation showed that an identity thief opened a fake credit card based on my Social Security Number and ran up the charges.  I filed a police report and was advised by the local police that it was unlikely that anything would happen, but that the report was necessary in order to file an affidavit with the credit card company to avoid paying the charges.  I was eventually able to track the thief to a Florida address and called the local Sheriff to investigate.  I was told that the Sheriff would not look into it because "anybody could have used that mailbox and it would be an invasion of privacy." It became clear that identity theft was just the cost of doing business for credit card companies and credit reporting agencies - regardless of the cost and time to the consumer.

The source of my of the hacking exploitation is infuriating and that of course is poor computer security.  What is never really made explicit is the reason for the lack of security. It was certainly never really designed in.  Apple claims that it is and they have a detailed explanation about this in their literature.  On the other hand Microsoft operating systems dominate the individual and corporate PC worlds.  If you are going where the money is - it will probably involve a Microsoft OS.  It seems that every Microsoft upgrade involves a raft of new security problems and when they have a stable OS - it gets upgraded and the old stable version gets unsupported anyway.  I suppose you can't make a lot of money on a product that you never upgrade. A lot of the security problems rest with the software manufacturers.

There is the software security industry.  Large companies that make antiviruses, firewalls, malware detectors, and pass word managers.  A dizzying array of free and in some cases fairly expensive software with the guarantee that none of it is foolproof - it might not work at all.  As an example, I was looking at the new collection of password managers for keylogger protection.  The above note describes a keylogger and that is software that records your keystrokes and sends them back to the hacker so that they can discover your passwords and account numbers/logins and steal from you.  Keyloggers can also take screen shots to get similar information. The password managers may or may not protect you against that.

The average computer user seems to pay a premium price for a computer with not very good security and an additional price for software that may or may not add much security.

By default we are left with a semblance of security at our own hands.  The common advice is to not open any email from an unknown source.  Email is a common way that malware and viruses are introduced to computers in large systems with extreme results.  It may allow hacker access to information or in the extreme case hijack the entire system until a ransom is paid to unlock it.  In the case of the message sent to me - I am sitting behind a corporate firewall  that seems to intercept even benign messages and send me a report so that I can decide which one should be deleted and which should be released.  This message sailed right through! 

All of the lack of reasonable security results in the possibility of scaling the criminal enterprise.  Now instead of blackmailing a person who may be engaged in some activity that they don't want anyone to know about - the enterprising Internet criminal can send out thousands or tens of thousands of these messages - just playing the odds. The impact on the other 90% is completely ignored.   

All of the security fixes so far ignore the basic problem of who is basically creating all of this chaos. I did an PubMed search on hacker(s) and came up with 90 references dating back to 1986.  None of them were what I would consider to be scientific papers. Most were opinion pieces either warning about threats or advice on how to secure your data or network against threats. Many were from non-mainstream journals.  

I am also a member of the IEEE and when I check their web site, there are 240,000,000 references to hackersHackers psychology as a search term results in 4.182 million references.  Going to the IEEExplore digital library results in 10 hits - 4 from journals and magazines and 6 from conferences.   The professional literature available to me does not seem to be much of an improvement over what is available in the popular press.  In the popular press there are some articles speculating on who the hackers are and what their various motivations are.  For example, an article discusses how some teenage boys become obsessed with hacking and with time and a singular focus can hack like anyone.  There are stories of American teenagers hacking the American government including military institutions and Russian teenagers being praised by Putin for stealing money from American bank accounts.  An article suggests that these teenagers eventually grow out of it when they recognize it is wrong.  One story suggests that the hacking obsessed teens are on the Autism Spectrum - they have Asperger's syndrome.  There are appeals to come up with a multidisciplinary approach to studying hackers and why the social sciences are important in the effort.  There is a suggestion that some of these programs are out there in the security industry and law enforcement - but nothing very compelling.   

Hackers have a large footprint in popular media.  The average television program suggests that a good hacker has instant access to whatever information they need.  That can range from any video feed to any blueprint to any financial information in any city.  That is an obvious stretch, but that is the way things are portrayed.  A study of how many media portrayals are of white hat versus black hat hackers (the old western terminology applies) might be interesting.  My impression is that most are white hat by a large margin.  And then there are the hacker antiheroes, most notably Eliott Alderson of Mr. Robot and his sister Darlene.  Nothing in the media portrayals to suggest that cybercrime in the US costs an estimated $350-500 billion annually.

I sincerely hope that there is a vast network of concerned cybersecurity experts, that are acting rationally on these threats.  I confess that I am not very confident that there is. The idea that a private contractor can access top secret government files and send them around the Internet suggests to me that even our top intelligence agencies may not know much more about protecting their systems than I do. 

Coming back to the graphic, my overriding concern is that there are tens of thousands of people out there like the person that sent this email.  They can get close to many more people than they could walking up to them and holding them up on the street, but that doesn't mean they are any less sociopathic.  The dominant dynamic is that they will verbally, emotionally, or physically intimidate  you to get what they want.  That tone is clearly there in this email.  I think network providers and the hardware and software providers can do a lot more.  The most compelling evidence there is the disappearance of pornographic email spam from the early part of the century. At first it was up to the individual user to set up filters to get rid of it and then mysteriously one day - the inbox was free of pornography for good.  They should be able to do the same thing with emails like the example here.

For now every user must stay diligent and do what they can to protect themselves.  A home network specialist that can be consulted about the latest gear and standards helps.  Common sense helps.  At the bottom rung is the idea that not all emails need to be opened or responded to no matter how obnoxious they are.   


George Dawson, MD, DFAPA


Supplementary:

Despite the confusing landscape my experience here highlights a couple of points.

1.  It is critical to change your password/login if a business you access on the Internet gets hacked.  In this case the hacker was able to purchase a 2013 password from an Internet site I frequented on the Dark Web and use it in the first line of the email. That password was available because the company I locked into was hacked exposing the personal information of tens of thousands of users.  This highlights the need for changing passwords immediately when there is a report that an online site has been hacked.

2.  In one of the papers I read about password changes - it turns out that frequent password changes required by many companies result in less secure passwords because employees are annoyed by the changes and the suggested complexity of the passwords. The authors of that paper suggested that frequent changes were unnecessary.


Supplementary:

I am very interested in any scientific research on the psychology of hacking and cybercriminals.  Please post any good references that you have. 



References:

1: Hutson M. Hackers easily fool artificial intelligences. Science. 2018 Jul20;361(6399):215. doi: 10.1126/science.361.6399.215. PubMed PMID: 30026208.

2: Waldrop MM. How to hack the hackers: The human side of cybercrime. Nature. 2016 May 12;533(7602):164-7. doi: 10.1038/533164a. PubMed PMID: 27172030.

3:  Committee on Developing a Cybersecurity Primer: Leveraging Two Decades of National Academies Work, Computer Science and Telecommunications Board, National Research Council; Clark D, Berson T, Lin HS, editors. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington (DC): National Academies Press (US); 2014 Jun 16. PubMed PMID: 25057698.