Why an Attack on a Taiwanese Chipmaker May Affect You

Most people have probably never heard of Taiwan Semiconductor Manufacturing Co. (TSMC). Most people would be surprised to learn that it is the seventh biggest tech firm in the world, placing just below Apple. In fact, according to Bloomberg, TMSC is the “sole maker of the iPhone’s main processor” and is currently preparing to begin producing chips for Apple’s next iPhone. Indeed, Apple accounts for 21% of TMSC’s income. So you’d have to figure that an attack that shut down three of its factories had to have some negative effects.

As of this writing, TMSC is giving few details about what exactly caused the closure of its factories. The Wall Street Journal claims that the company was attacked by a computer virus which was “a modified version of the WannaCry virus”. But calling it “a computer virus” is simply a way to obscure the facts. And, to add to the mystery, the company also claimed that the virus was not introduced by an outsider. The latest company statement on the problem states that the disruption was caused by a “mistake made during software installation that then spread through its network.” That was some mistake.

Without more details, it’s impossible to know what exactly they are talking about. How does a bad software installation shut down three factories? Since they referred to a “computer virus”, does this mean that malware was pre-installed on some important software that masked itself as an update? How long ago was this installation performed? Was this virus or malware on the network for a long time or did its installation instantly shut down the factories?

According to an update of the original Bloomberg article, “no confidential information was compromised in the virus attack”. So it now termed an “attack”, not just a problem caused by incompatible software. This conclusion seems confirmed by a statement from Chief Financial Officer, Lora Ho, who said, “TSMC has taken actions to close this security gap and further strengthen security measures.”

Okay, so what precisely was the security gap that needed closing? Because it now appears that the network was breached by someone either looking to disrupt operations or steal information. You don’t take the time to compromise the supply chain just for fun. In either case, it must have been a major business competitor or a hostile nation state that could benefit from such a disruption or benefit from some secret information it may be able to get its hands on.

This being the case, would anyone be surprised if China was behind this attack? Probably not. According to one source, Taiwan’s government networks are attacked by China at a rate of up to 40 million a month. China would like nothing more than to give one of Taiwan’s biggest tech companies a black eye. Doing so would make competing Chinese companies look better, by comparison. Maybe they could persuade Apple to depend less on TSMC for its chips and start using Chinese semiconductor producers.

Then again, maybe they wanted to steal information on the new iPhone chips. TMSC claims that no confidential information was accessed by the attackers. However, what would you expect them to say? In every major attack I have written on, the attacked company always initially downplays the attack. Over time, they release more details. The company has only stated that deliveries of new iPhones may be delayed and that TMSC may see a temporary 3% decrease in profits which will amount to a loss of about $250 million.

We may find out the truth if a Chinese smartphone maker suddenly comes out with a phone that is surprisingly similar to the new upcoming iPhone 9. But maybe the attacker’s plans were simply to sully the image of the iPhone by using malware that would change the manufacturing parameters on machinery used in iPhone chip production. Such actions would then result in the production of underperforming iPhones. These imperfect phones would have to be recalled and, in so doing, Apple’s reputation would suffer. We also cannot dismiss the possibility that the hacker wanted to put some sort of backdoor into the chips.

If this attack was engineered through contaminating software from a supplier, it would most definitely have to be the work of a nation state. Such an approach is simply far too sophisticated for a bedroom hacker. Connecting this malware to the WannaCry virus seems a bit of a stretch, but it is possible that it had some similarities. For me, it seems closer to a variation on the Stuxnet malware, similar to the Triton malware that shut down Saudi Aramco last year. Interestingly, when that particular attack was reported, Saudi Aramco claimed there had been no attack at all.

If we assume that China was behind this attack, we’d have to speculate on how they compromised the supplier. Without knowing who the supplier was, we can only assume attack strategies that have been identified by the United States Office of the National Counterintelligence Executive in their 2018 report. Besides normal cyber attack methods, China uses the following routes to get the information it needs to support its tech industries.

chinese hacking

We would have to know the infected supplier to reach any conclusions as to how the malware may have been placed in the software without it being detected before distribution. It should be noted, however, that TMSC has a semiconductor fabrication plant (fab) in Shanghai. Just saying.

China is no newcomer to the ICS/ SCADA (Industrial Control System/ Supervisory Control and Data Acquisition) attack arena. These refer to the control system architecture of machinery or other infrastructure that sets production parameters. If tampering with machine control systems was, in fact, the attack vector China used against TMSC, no one would be surprised. China is the leader in this type of attack. In 2013, Trend Micro set up some honeypots that looked like valid SCADA networks. They wanted to see if they would be attacked and by whom. In short, they were quickly and robustly attacked. And who were the main attackers? The chart below will give you that answer.

china scada

Yes, China led the way with 35% of the attacks being attributed to them.

While we await details on this attack, we can only speculate on the consequences. The attackers may leak information on what they found out about the new iPhone to take away some of its thunder. Well, what a coincidence! Yesterday, August 8th, a Chinese publication called, Economic Daily News, leaked details of the new series of iPhones. The information was reportedly from a Foxconn employee, but who knows?

iphone 9

The debut of the new phones is expected in September, but that may be delayed. If a delay occurs, it may not only be because production was shut down for three days. If the malware was in the system for longer than the company admits, they may have to check to see if new chips and phones that may have already been produced possess faults. If the delay is longer than just a couple of weeks, the hack may have been more successful than the company has claimed.

At the very least, the attack may cast doubt on the reliability of the iPhone. Most hardcore iPhone users may not be phased. However, those contemplating a change to another brand may see this as the last straw and make a move to another maker. This will be especially true if, by sheer coincidence, a Chinese smartphone producer comes up with a phone that is almost a clone of the new iPhone. I guess we’ll just have to wait and see.

Posted in Uncategorized | Tagged , , , | Leave a comment

Why Not Get Google Results with a Private, Non-Tracking Search Engines?

I like Google. I think it gives better search results than any mainstream search engine. That said, I know it’s following me. It keeps records of what I search for, what sites I visit, and what I like to build a profile of me. It then offers me targeted ads and targeted search results. Sometimes that can be good. It saves me search time. Unfortunately, there are other times that I might not want Google to know so much about me.

If, for example, the government ever needs to find information about me, I’m sure they will stop at Google for a little help. And, make no mistake about it, Google will be only all too happy to comply. Here is the most recent data from Google showing requests for customer data within the U.S.

google data requests

But requests for data are one thing and actually coughing up that data is another. So what percentage of these requests were acceded to? Here’s the chart that gives this information.

google percent data requests honored

In other words, Google agrees to most of the data requests it receives (82%).

What data does it have on you? Quite a bit. You can get a copy of all the data Google has on you here. You can choose what information to look at. I chose the following, which comprised over 2GB of data.

google data

But there is more to privacy than this. Google knows in advance what you are probably searching for. If you type in the first letter of a search, it will suggest frequently visited sites that begin with that letter. This can be convenient. It could also cause you problems.

Imagine, for example, your wife wants to look for a bread recipe, types in a ‘b’ and sees that ‘babes in bikinis’ is suggested. Busted! Sure, you can delete your history, but how many of us actually do that after each browsing session. Besides, Google will still keep your browsing information no matter what privacy steps you decide to take. They need it for advertising. But I understand. Google is a business and they need to make money. At this point in cyber history, selling personal information is the best way to get rich.

But what if you can use a non-tracking browser that uses the Google search engine? What if Google never knew who was browsing or what they were browsing for? That would certainly give the user much more privacy. Well, those search engines are here, and, in this post, I’ll suggest a few.

There are a number of private search engines. Most privacy-concerned individuals have heard about DuckDuckGo, which is used by the Tor browser. DuckDuckGo leverages Yahoo search, and I don’t really find the results from Yahoo to be as good as those from Google. Besides, Yahoo has the worst privacy policy available and they have been known to collude with the NSA. Therefore, I will only focus on private search engines that use actual Google results or results from a combination of search engines that includes Google.

Private search engines protect your privacy by acting as an intermediary. You type your search terms into their search page and they go to Google for you. Google only sees the search engine address as the searcher. They don’t know the real person behind it.

As Google builds its profile about you, their algorithm begins to send you targeted search results. In short, they filter out any results they think you would not be interested in. This leads to the formation of what is called, a ‘filter bubble’. You will be isolated from results that conflict with your viewpoint. It is a strategy which, no doubt, can help magnify divisions within a culture. Private search engines will not do this. When they leverage Google, Google has no profile of you personally, so they must present all viewpoints in their search results.

For this post, I will look at three search engines which base their results on Google or Google and other search results (not including Yahoo) and which have high privacy features. These search engines are StartPage, Gibiru, and SearX.

StartPage

startpage

Startpage uses Google search results. It does not offer suggestions as you type, but you have the option of turning this feature on in the settings menu. However, keep in mind that the suggestions will be Google’s suggestions so they could be biased.

You can browse for images and videos and videos will be shown in thumbnails. If you click on the thumbnail you will receive this message.

Some may also worry about using Startpage with servers in the U.S. because they worry that these servers could be compromised by law enforcement. Yes, that does happen. However, Startpage gives you the option of using only EU servers, not that these can be guaranteed to be safer, but they could be. Then again, there’s no guarantee that Startpage or any other private search engine will not keep logs that connect to your IP address, you simply have to trust that they won’t.

Startpage uses ads to make money. They appear at the top of the search result and are not as obvious as they are on some search engine results.

Gibiru

gibiru

“Gibiru is the preferred Search Engine for Patriots.” At least that’s how the founder and CEO of Gibiru, Steve Marshal, markets it. It is a bare-bones search engine that uses Google results. It was designed by a former Google employee who became disenchanted with the way Google was manipulating personal information to make big profits. “Just as Google was forced by China to only show negative results for the web search Dali Lama and Tibet in an agreement that would allow Google to operate business in China, the same system of censorship and secret policing of citizens is developing now. Would you trust the government’s mainstream media to tell you the truth?” Some may call it paranoia, others may call it being cautious.

Gibiru uses featured ads to make money. They also seem to use your IP address to target you with these ads. In other words, they seem to, at least temporarily, store this information. They recommend incorporating their search engine into the Firefox browser for enhanced anonymity.

SearX

searx
SearX is the most malleable of all private search engines. It is a metasearch engine, meaning that it aggregates search results from a number of search engines. The selling point of SearX is that you can choose which search engines you want to use. There are a number of other settings that you can use to personalize SearX.

By default, SearX does not autocomplete your search results; however, you can enable this feature and even choose which search engine you want to do the autocomplete function. All custom settings are saved in your browser, not on the SearX website. You can also filter search results in a variety of ways not offered by other private search engines. SearX is based on open source code so it does not give you any ads. It does, however, ask for donations. Nonetheless, you could make a good argument for SearX being the best search engine available anywhere, encrypted or not.

Other Notable Private Search Engines

Search Encrypt is often mentioned when people write about private search engines. It has the advantage of encrypting your search terms before it searches, thus, adding another layer of anonymity to your searching. On the other hand, it is not configurable. You get the search results it wants to give you, and, in my opinion, these are often lacking. Search Encrypt can be integrated with your browser (Chrome and Firefox), but users complain that it interferes with search results more than it helps. Some claim it acts more like malware, but this may be because it predetermines which sites are free of tracking and will not suggest them. It is supported by ads in the search results.

Qwant is a French-based private search engine which seems to be growing in popularity. Those who want to avoid U.S.-based servers may find it attractive. The search results are fair, but a multiple of filters can be applied. It does use autocomplete, but it is impossible to tell if this is biased, because it cuts out early when typing in a search phrase. It does offer paid ads mixed in among the search results and they are not all that obvious.

Final Remarks

All of the private search engines mentioned in this post will protect your search results from being used to build a profile of you that can subsequently be sold to advertisers. Some simply offer more features than others. Just like a VPN, there is no way to ensure that they keep their end of the bargain, but if you find you are being targeted with ads through your searches, be suspicious. Keep in mind that once you click on a website in the search, you are on your own. The search engines only protect your searches from being monetized and nothing more. Add a VPN and even Tor browser into the mix if you are looking for the best privacy you can get. However, keep in mind that absolute privacy may still be unattainable.

Posted in Uncategorized | Tagged , , | Leave a comment

The Recent Russian Indictment Raises 7 Major Questions

While the recent indictment of 12 Russian hackers does give some interesting new details on the hacking of the DCCC (Democratic Congressional Campaign Committee) and DNC, it still leaves many questions unanswered. In addition, the indictment itself raises new questions. So, here is what we still need to know to get to the truth.

1. Why didn’t the FBI or other intelligence agencies look at the hacked servers?

Like it or not, Donald Trump is right to ask this question. If you were diagnosed with a serious illness, wouldn’t you get a second opinion before undergoing treatments? Why wouldn’t the FBI want to confirm the findings of private security firm, CrowdStrike, before investigating the hack? It seems like an obvious first step.

A number of answers have been given for this. The FBI claims they made several requests to see the servers, but the DNC refused them access. But if this was considered an issue of national security, couldn’t they have demanded access? They seem to have given up without much of a fight.

For its part, the DNC claims they offered the FBI the opportunity to see the servers but said that the FBI wasn’t interested. In the end, the FBI chose to take CrowdStrike’s word for the Russian intrusion.

Both stories may hold some truth. James Comey claimed that there was really no need to see the servers because they had “upstream” information that the Russians had hacked the DNC. True, back in 2015, they had warned both the DNC and the RNC that Russia would try to hack into their networks. Thus, when it looked like the Russians had eventually succeeded, the FBI was not surprised and probably felt no compulsion to investigate further.

Another story is that the DNC did not want the FBI to see the servers because there was incriminating information on them. We know, from the documents that were later released, that the fix was in against Bernie Sanders. Then, there was the Trump dossier. In addition, they did not want the negative attention such an investigation would give them as they were already feeling the backlash from the emails hacked from Hillary Clinton’s private server. Their ineptitude at protecting donor information could hinder supporter financial contributions. Remember, until June, 2016, they did not realize that the stolen documents would be made public. Add to this the fact that many heads of the intelligence community assumed an inevitable Clinton victory and one could understand why they did not want to rock the Clinton boat. Practically speaking, those that did might eventually lose their jobs when Clinton was elected.

Recently, some publications have claimed that the FBI did not need access to the servers because CrowdStrike had given them image files. That may be, but in this case we would have to believe that no files were deleted or tampered with before the images were created and turned over to the FBI.

2. How did the FBI identify these specific hackers?

What emerges most from the indictment is the U.S. intelligence community’s ability to follow the actions of the accused hackers. We can infer that the FBI had control of a server in Arizona used by the hackers to send the stolen documents on to their command and control (C&C) center. But how did they identify this particular server? Were they already following the cyber actions of these individuals? Did CrowdStrike find evidence of this when they examined the servers?

In the indictment, the Russian hackers are identified along with the positions they held in the Russian intelligence community. Information is also given on the roles they played in the DNC/DCCC hacks. But how did the intelligence community learn of these specific roles? Do they have malware within the Russian intelligence networks or do they have Russian informers working with them? These are important questions because, not knowing the answers, we are back to just believing whatever the intelligence community tells us.

3. The indictment includes much information on the hacking of Hillary Clinton campaign chairman, John Podesta. My main question is: Why was Podesta using a Gmail account for official communication? Who were those spear phished at the DNC/DCCC? Did they all have Gmail accounts?

Hillary Clinton campaign chairman, John Podesta, was hacked because he had a Gmail account. He was sent to a fake site to change his password and that password was captured by the hackers. Once his account was compromised, any of his contacts could be spearphished. Why wasn’t he given or forced to use a DNC account? Many others within the DNC, such as Debbie Wassermann-Schultz, also had Gmail accounts. How many of them were also hacked in this way? Did the FBI analyze these infected endpoints to gather information on the hackers?

The hackers compromised endpoints in the DCCC to hack into the DNC network. They then installed malware in the network to gather documents and data. What sort of cybersecurity did the DNC have that did not detect any of this activity? If the hackers were so sophisticated as to hide their activity, why were they so clumsy as to allow their identities to be traced? We know now that they used Tor to hide their IP addresses, so did the FBI have control of Tor?

4. How did the hackers manage to transfer so many gigabytes of data without being detected?

Many have suggested that the hack was an inside job; a leak. They claim that it would have been impossible to hack such data remotely because it would have taken too much time to transfer it. The timeframe for the movement of these documents is supposedly known and only a local transfer (e.g. to a USB) would be possible. To accomplish such a transfer of gigabytes of data remotely would be impossible even at peak internet speeds, which were not available at that time.

The indictment seems to be aware of this objection and answers it by stating that the hackers “used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.” What tool was that? How much was this data compressed to enable hackers to move it across the internet so quickly? Was this information available in the logs? Where are those logs anyway?

5. How were the hackers able to maintain their presence on the DNC and DCCC networks until October, 2016?

Almost as soon as the hackers breached the DCCC network on April, 12, 2016, they were into the DNC network. They intalled X-Agent and X-Tunnel malware onto computers connected to both networks. Thereafter, they began harvesting data. And it did not end there. As the indictment states, “between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.” CrowdStrike came on the scene in May, and almost at once concluded Russia was behind the attack, but their concomitant report makes no mention of whether or not they purged the Russian malware from the network. The indictment makes it clear that they did not. It states that, “despite these efforts (by CrowdStrike), a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained on the DNC network until in or around October 2016.” So the hackers continued to hack the DNC and get information from it until the election.

The indictment also points out that “in or around September 2016, the Conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service.” I believe this was the Amazon’s AWS service. This is new information, but we know nothing of what, specifically, was stolen. Can we have some details?

6. What was the real goal of the hackers?

The indictment seems to indicate that the true purpose of the hacks was to sow discord between the Sanders and Clinton campaigns. They did not feel that Trump was a viable candidate. At that time, Julian Assange of Wikileaks wrote to the hacker known as Guccifer 2.0, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.” He wanted documents to prove that such a conflict existed and could be exploited. At this point in the campaign, Russia news media was clearly supporting the Sander’s ideology. They, like everyone else, also probably thought that Trump had little chance of gaining the nomination, let alone the presidency. They would, therefore, be supportive of anyone who supported Sanders, such as Wikileaks. The indictment agrees that the goal of the hackers was mainly to “interfere in the 2016 U.S. presidential election.” There is no information in the indictment to conclude that the hackers committed their breaches to help the Trump campaign.

7. Did the Russian government hack the DNC/DCCC?

dnc

Maybe. Even probably, but, in fact, I’m not really sure. Cybersecurity expert, Brian Krebs, stated in a post on the DNC hack that “based on what I’ve learned over the past decade studying Russian language, culture and hacking communities, my sense is that if the Russians were responsible and wanted to hide that fact — they’d have left a trail leading back to some other country’s door.” Didn’t CrowdStrike, even for a brief moment, wonder if their so easily finding Russia in the DNC network was too good to be true? Then again, they probably knew what the FBI expected them to find.

According to the indictment, the hackers did try to cover their tracks, but, somehow, the FBI, or, at least, CrowdStrike, found those tracks. So either the hackers did a bad job hiding their tracks or the real hackers wanted it to look like Russia was behind the hacks. But if not Russia, who would want to make it look like it was Russia? Maybe that should be the main question.

Given the information above, it is hard to imagine why the 2017 report on Russian influence in the 2016 election stated that the election of Donald Trump was the main goal of Russia and its hackers. However, the intelligence agencies behind this report did not completely agree on this point. The FBI and CIA claimed high confidence in the conclusion that Russia hacked the DNC to help Donald Trump, while the NSA was only moderately confident in this regard. Moderate confidence “means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.”

Julian Assange has always maintained that it was not Russia that hacked the DNC. He claims he has the physical proof for this and, in fact, apparently offered this proof to the FBI in exchange for some sort of immunity deal. However, when given this opportunity, FBI Director, James Comey, apparently told those in contact with Assange to “stand down”. At least, this was the information delivered by Senator Mark Warner to Assange contact, Adam Waldman.

Of course, it is also possible that Assange only believes he has proof. He could have equally been fooled through obfuscation techniques. And that’s really the point. There’s a lot of information in the indictment but it fails to come together into a cohesive package that leaves no doubt about who was really behind these hacks and what their actual purpose was. If everyone involved in this investigation, (the intelligence agencies, the DNC, and Assange) would agree to work together, maybe we’d finally get to the bottom of this. But I can’t really say I see much hope that this will ever happen, especially since the DNC just filed a lawsuit, via Twitter, against Wikileaks.

Posted in Uncategorized | Leave a comment

Hackers Using the Browser’s Red Warning Screens to Begin Attacks

Personally, I’m glad the Edge browser has SmartScreen. Chrome users should also be glad because Microsoft is now offering that browser an add-on that gives those users the same protection as Edge users. SmartScreen warns you that the site you’re planning to visit may have malicious intentions. You don’t have to go there to find out because the browser has already done that for you. It’s something like a person warning you not to open a door because bad things are in the room behind it. It’s too bad predictable horror movies don’t have this function. If they did, the terrified girls in these films may think twice before deciding it might be a good idea to look around the cellar where the lights never seem to work.

But there are users who feel that the SmartScreen Filter is too proactive. Some feel that the protecting red screen comes up at inappropriate times and simply interferes with their browsing. It is possible to disable the filter but doing so exposes the user to a variety of attacks. Malware may also make use of the filter to do unsavory things.

If you have been lucky enough never to have seen this feature, here is what it looks like.

red screen

The code that creates the screen will specify which threats may lie in wait in the page ahead.

In December, 2016,  a researcher found that criminals were manipulating this feature in a number of browsers for financial benefit. The screens were made to give phone numbers that a user should call to fix a problem. Some of these screens are not red but are designed to look like they came from Microsoft Support. Many of them come with phone numbers.

fake microsoft support

The attackers hope to scare you into purchasing some ‘necessary’ product that will fix your system. The typical warning will be similar to this: “The removal of (3) Viruses is required immediately to prevent further system damage, loss of Apps, Photos or other files. Traces of (1) Phishing/Spyware were found on your computer. Personal and banking information are at risk.” If you call the number they give you, they may ask you to give them remote control over your device so they can “fix it”. They will then do some hocus pocus (like installing Firefox) and expect you to pay for this. Most people say they paid about $150. Consider this as the price of ignorance, which you can no longer claim after reading this post.

These so-called tech support scams have been going on for years. Recently, though, they have been getting better and more believable. They’ve also become more dangerous. If you give anyone remote access to your computer/device, you are asking for trouble because nothing can stop them from installing a remote access trojan right before your very eyes. They may make it look like it is some security tool so as not to make you suspicious, but once it’s installed, they can steal any information they want, including your credit card numbers and bank logins.

A new variation on the scam is to apparently freeze your browser on the fake support page. It appears as if you cannot browse to another site and, sometimes, not even open your task manager. In fact, your browser is not frozen. The attackers simply add some code to a page that maxes out your computer’s resources. It is referred to as the history.pushState() method. Here is the code that accomplishes this.

history push

You may not even be able to shut down your computer with a Ctl+Alt+Del command. In this case, do a hard reboot (push the “off/on” button for 5 seconds). Just don’t call the support number. It should be noted that some of these scams come bundled in software, so when you unpack the software make sure not to accept the default installation.

Although the Chrome browser has been scammed for some time, it is Microsoft’s Edge browser that now holds better scamming possibilities. I made the following scam page as an example. This is just a screenshot. The original used the Smartscreen html code and, on it, the link to “Google” would work.

facebook unsafe

So I could make a legitimate and frequently visited site appear, for some undisclosed reason, to be unsafe. I gave a fake message which I could tailor for my needs. Normally, these pages tell you to go to your homepage. Maybe the link goes there and maybe it doesn’t. I made it look like you could go to google.com. Actually, on the created page, I made it go to Microsoft’s homepage to show that you can’t believe every link you see. But I could have made it go to a page that contains malicious code. (Here is the technical information on how the researcher bypassed a patch to Edge.)

Malware has been known to disable the SmartScreen filter. In most cases, it is better to have SmartScreen warnings turned on. To make sure it’s enabled on your Edge browser, go to Windows Settings, Update & security, Windows Defender, App & browser control. There, you will see this.

smartscreen warn

You will also see other SmartScreen options that protect you from downloading infected apps.

As a last resort, you may want to do what one frustrated victim did, when he kept getting bothered by these fake red screen scams. He actually did call them.

“I called 100 times on 20 simultaneous channels. They answered, talked to my bots. Then they started to put my bots on hold. Then they started swearing, shouting to each other, about what is going on, I could hear in the background. Then I made 500 calls on 20 simultaneous channels to the number. After 300 phone (calls), they disconnected the number,” he said.

Recently, some of these scams have become so good that I really had difficulty determining if the message was actually from Microsoft or not. A list of some of these screen manipulation scams can be found here, but keep in mind that they are changing all the time and they continue to fool the unsuspecting. Do not call technical support numbers, download files or patches that are supposed to help you, or follow instructions to turn off SmartScreen protection. Microsoft will never give you a number to call and always check a link address by hovering the cursor over it. If it does not have a microsoft.com address, it is leading you to a scam support page. All browsers are susceptible to these scams, and Microsoft reports that the number of scam victims is on the increase. Most victims lost between $200 and $500, but others have lost thousands. A new trick involves combining a tech scam with an overpayment scam as in the following example.

tech scam

So scammers are upping their game daily. If you haven’t been targeted yet, you eventually will be, and you may not realize it’s a scam.

Posted in Uncategorized | Tagged , , | Leave a comment

One-Third of Companies Would Rather Pay Ransom Than Invest in Cybersecurity…Really?

Welcome Hackers! This might as well be the slogan for the third of companies who think it would be more cost effective to pay hackers ransom than to invest in a comprehensive cybersecurity defense. Such a conclusion is based purely on monetary considerations. The thinking is that investing in expensive cybersecurity may be nothing more than throwing money away. If no one ever tries to hack your company, you won’t need to pay for cybersecurity, right? After all, why pay for nothing? Why pay for cybersecurity architecture and all the qualified people you need to manage it? Wouldn’t it be less expensive just to pay the hackers some ransom or just pay for the cleanup after a hack? Although it may seem like a naïve approach to many in the cybersecurity industry, it’s a fair question and one that needs to be looked at seriously.

So, let’s delineate some of the monetary underpinnings for this viewpoint. According to a Deloitte survey of 747 firms, the average percent of revenue channeled into IT departments amounts to around 3.28%. Of this, generally less than 20% will be specifically designated for cybersecurity. The graph below shows that some economic sectors are more concerned about IT than others.

IT budgets

Gartner defines a small business as one with a revenue of less than $50 million a year. This means the average small to medium company would spend about $2 million on IT. Assuming about 20% of this is spent on cybersecurity, we end up with a cybersecurity expenditure of roughly $400,000. Of course, large companies in certain sectors will be paying much more, but, for the sake of this investigation, I’ll use the $400,000 figure as representative of a small to medium-sized business. These are businesses that have to keep a tighter rein on their expenditures so they would necessarily be most concerned about any losses due to hacking.

Last year, Kaspersky reported that the average loss to a small to medium-sized business from hacking was $117,000. Thus, on the surface, solely from a financial point of view, it would seem that taking the gamble on not being hacked could be justified. But Kaspersky notes that there are extenuating circumstances. Here are the costs that firms incur when trying to recover from the effects of a breach.

kaspersky hack recovery

Keep in mind that these are the costs that follow a breach. That’s where the $117,000 figure came from. It does not take into account any money that the hackers may have either stolen or asked for as in a ransomware attack. It does not take into account how much hackers can make from selling a database of personal information. Attacks that result in a lost database of personal information can be the most expensive to recover from. A Ponemon study estimated the average cost of a data breach to be around $690,000.

Now, back to the report from NTT which interviewed “1,800 global business decision makers” to find out their views on cybersecurity. The main takeaway I got from this report is that these “business decision makers” seemed naïve when it came to cybersecurity. A majority (47%) believed that they had never been affected by a breach. Maybe that was true or maybe they are just one of those companies who have been breached but don’t yet realize it. (Statistics for US firms show “63% report an incident in the past year and nearly half (47%) have experienced two or more”.) However, what was even worse was that one-third of the respondents felt that they would never be breached.

ntt breach chances

This fact probably explains what NTT claimed was “one of the most shocking statistics in this report”. That is, that one-third of respondents said they would rather pay a ransom than invest in cybersecurity. An additional 16% were unsure of whether they would pay a ransom or not. Taken together, this means that half of all companies would at least consider paying a ransom. This attitude must have been welcomed news to those criminals using ransomware to make money. It also reveals the respondents’ naiveté. Their underlying belief seems to be that paying a ransom will restore everything to normal. In fact, there is no guarantee that the criminals will either honor the ransom payment and decrypt the data or, given the incentive of the first payment, not attack them again.

Another fact that seems to emerge from the report is the uncertainty that exists over who would be ultimately responsible if a breach occurred. One-fifth believed that such a breach would be the responsibility of the CEO, even though it seems that few CEOs really knew what was going on in their IT departments. Statistics indicate that very little communication was going on between high level management and the IT department. This could be because management did not feel qualified to speak cogently on IT matters. Then again, it may be that such conversations only occurred when the IT department approached management for budget allocations or informed them about serious breaches. A Ponemon study seems to support a general lack of communication going on in most businesses, as can be seen in the graph below.

ponemon relationships

Malwarebytes found that, of companies experiencing a ransomware attack, 20% were forced to shut down immediately. Most companies were down for 1- 8 working days (assuming a 12 hour working day). 80% of ransom demands were for under $10,000. 21% of those receiving ransom demands paid the amount requested. Of those not paying the ransom, 32% lost files. It is impossible to assess the cost per day of a company not being operational. That would vary with the type and size of the company. In this respect, however, the ransom itself would probably be a minor expense. Medical, financial, and online retailing firms would probably be more likely to pay the ransom in the hope of resuming normal operations. So the average cost for a ransomware attack would be about $127,000. However, many companies experienced more than one ransomware attack in a year.

But hacking is not just for receiving a ransom. Hackers steal for financial gains or to acquire important information. Hacks stealing information tend to be more difficult to recover from. When customer information is stolen it is often sold on the deep web. How would customers ever trust a company that exposed their personal information? Stolen company secrets put the existence of the enterprise at risk. In both such hacks, the company reputation suffers. As most companies realize, reputation is closely linked to profits. The quarter after the Target hack, profits fell by 50%, a loss which smaller companies may not be able to absorb.

There is a widely quoted statistic that 60% of small businesses will fail in six months following a cyber attack. The statistic is claimed to originate from the National Cyber Security Alliance. I made a rigorous attempt to verify this claim, but could not. I did, however, eventually find a press release from the NCSA in May of 2017 saying that “this statistic was not generated from NCSA research” and that “members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.” That said, most businesses will experience serious financial stress following any cyber attack. A Cisco report found that 38% of organizations experienced a substantial financial loss, 42% saw a substantial loss of opportunities, and 39% saw a substantial loss of customers. Each small business needs to take these statistics into consideration and determine for themselves if they could survive such an impact to their particular business.

This is all not to say that small and medium-sized businesses have absolutely no security at all. They may have some simple antivirus software or may use a VPN. They don’t, however, have a coordinated cybersecurity strategy backed by an IT department that would be needed in the case of a strong attack. They certainly do not have state-of the-art technology to protect themselves from the most commonly used attack vector; the exploitation of unprotected endpoints. As such, they are continuously vulnerable to irresponsible online behavior of any employee that has access to their network.

And that brings us back to the main question: Is it better to wait to be hacked before paying for cybersecurity? It’s a gamble; a gamble that is the statistical equivalent of a coin toss. In other words, would you risk your business on the toss of a coin? In the end, you simply have to ask yourself one question: Are you feeling lucky?

Posted in Uncategorized | Tagged , , , | Leave a comment

Why Are Recent Employment Scams Fooling So Many People?

Most scams are pretty transparent. An email arrives with a tempting subject line, but you know, deep down, that what they promise is simply too good to be true. Why do “beautiful Russian women” want me to contact them? Why was I so lucky that they decided to send me their pictures? Why are people I never heard of dying and leaving me millions of dollars? Why?

Well if it’s so easy to spot a scam, then why are so many people falling victim to employment scams? Well, the basic answer is greed or desperation. Employment scams offer unusually good pay for unusually little work. It’s enough to get some people interested in reading the email that eventually traps them in the scam. That said, some of these scams are sophisticated enough to fool even the normally wary.

So let’s look at one of these emails that you may receive. It may come with a company logo and may refer to a resume that you have posted on some popular job search site. At first, it may be a simple message. Here is one example.

Hello Good Day. I am Mr. Jerry Nathan From ( Indeed Recruitment Team ).. Our HR Dept has reviewed your resume published on Indeed. Your resume has been reviewed and Approved. You have been scheduled for an interview. Reply back if interested for more details on the job position. Thank you.

This may also be sent as a text message. If you reply, you will probably be told to use some messenger service, such as Yahoo Messenger, to be interviewed. Occasionally, they will ask you to call a number for an interview. Don’t worry. No matter what you say at the interview, you will eventually be offered the job.

The type of job varies, but recently scammers have been focusing on shipping or logistics jobs. The job names change but the work remains the same. Some victims have even been given contracts to make them feel more comfortable. The scammers know that the victims will try to find a website connected to the company, and, not surprisingly, there will be one. The website may even have an https header which may further lower the suspicions of the victim. Scammers have been known to make use of legitimate websites as well. The scammers may even refer to their own job posting on a job seeker website and a link to it may be placed in the email, so as to make the offer appear more legitimate. The job will always be well-paid and the work will seem relatively easy and straightforward.

The victim may be asked to fill out some employment forms which will ask for personal information. Some victims have claimed that they were asked to fill out an application for a w2 form for tax purposes. This will give them the victim’s social security number. Once they have enough information, they can apply for a credit card in the victim’s name – but that’s not the main purpose for the scam.

Recently, employment scammers have been recruiting “shippers”. The work is as follows. If you are a victim, they will ship you packages which you must repackage and send on to certain addresses. The addresses are usually overseas addresses. Why any legitimate company would need people to do this should raise suspicions, but if you have followed the scam to this point, you will likely continue. You will be paid per package and will receive a payment at the end of each month.

Shortly after filling out all of the forms, you will receive your first package to reship. The package will come to your address but will often be under a different name. Often, the scammers will give you a ‘trial period’ which means you must show you can send the packages as ordered. The merchandise will not be expensive. Why? Because some victims realized they were being scammed and kept the packages for themselves. Thus, rather than lose valuable merchandise, they will see if you send some inexpensive products first and if you qualify as a bonafide victim. When you send your first expensive merchandise, you become officially part of the scam. Most victims will stay until their first paycheck and will do whatever they are told to do because they simply need the money. Only when they don’t receive the money and don’t get any answers to their questions, do they begin to suspect that something went wrong. In fact, many victims don’t really investigate the scammers until they don’t get paid and it is far too late.

This is what the victims should have done. Look more carefully at the company website. Don’t accept it as valid simply because it has an https address. That won’t necessarily mean it’s safe. You can get a certified address for free or buy cheap certificates that will do the job. (see my post) Is the https header in green? Probably not. Here is a fake website that is used to validate a fake company in an employment scam.

explicit

It may seem valid until you read the English. Do you really believe a serious company would allow such clumsy language use to appear on its homepage? A check on the site will show that it is about a year old. If you navigate to other pages you will see that they made a key mistake when they copied information from another shipping website to legitimize their business. Here is how the information appears on the Explicit Logistics page.

explicit cargo

Notice how the company name changes to Freight Logistics. Oops. That’s because there really is a company named Freight Logistics, which has this information on its page. See any similarities?

freight logistics

What I’m saying here is that before you take a job with any company; give their website a more than casual view.

Sometimes, scammers ask victims to pay a ‘training fee’ which they will reimburse in the first paycheck. Others have been told to log into a special site to get their assignments from a personalized dashboard. This gives the scammers a more ‘professional’ look. Once logged in, victims can see their assignments. They will be told where to pick up and where to send packages. They will also see how much money they’ve made and when they will receive their first paycheck. Sometimes, they may be promised bonuses for sending packages quickly. But, as one victim noted, “you will receive weekly updates of your pay for work completed, and a set pay day for your first check. On your set pay date you will be deleted from the work panel and no longer contacted and will not receive a response.” The scammers simply move on to the next victim. This particular victim spent over $2,000 sending packages.

Most people lost $2,000 to $5,000 in this scam. The most I found recently reportedly lost was $40,000. This was from a business that was scammed. They purchased products in advance and were paid through a checking account. After the scammers got what they wanted, they canceled payment on the check. But losing money may not be your main problem.

If you send stolen merchandise overseas, you may receive a visit from the police or FBI.
Some victims claim they received a call from the police after mailing several packages. Apparently, the merchandise you shipped was purchased with a stolen credit card and all signs point to you being the one who stole it. That’s when the fun really begins. You may be charged with distribution of stolen goods, defrauding customs, and mail fraud. You are the only one they will be able to trace and may face up to 20 years in prison. The real perpetrators will continue their scam unharmed, using new victims.

To avoid being scammed, avoid any job offers that can be filled by any unqualified person. Job offers for caregivers, mystery shoppers, repackagers, shippers, administrative assistants, and customer service reps are commonly scams, especially if they don’t require any special qualifications. Work at home jobs should be approached with great caution.

You may have seen the job posted on some job seeker site. You may even have a resume on those sites. The scammers will often use this information to entrap you. They may direct you to fake web pages. They may send you useless contracts and ask you for personal information. Job offers are often for about $4,000 a month for working 20 hours a week. Remember, if it sounds too good to be true, it probably is.

Any company that asks you to pay any money up front should be avoided, even if they say they will reimburse you. They won’t. You are just giving them money. You may be given a chat-style interview through some messenger app or Google Hangouts. If the interview really doesn’t get down to details, or if their use of English is poor; think scam. This goes for phone interviews as well. Ask the interviewer for details about the operations of their company. For example, all shipping companies will know about the WCA network, but do the interviewers?

Don’t think that just because they have a website means they are a real company. For some reason, this is the number one reason why victims believed their scammers legitimate. They may even send you to a real website that they don’t control. Some companies have complained that they were being contacted about job openings that they never had. Check out the URL with a domain checker tool. If the site was recently created, it is likely fake.

Many employment scams go unreported. If you use a job site, check the forums for others who may have had experience with the company you want to work for. Generally speaking, though, if you are at all suspicious, look for another employer.

Posted in Uncategorized | Tagged , , , | Leave a comment

Are VPNs Really Safe?

That depends what you mean by ‘safe’. Different people have different reasons for using a VPN so you can make a case for both sides of this issue depending on just how much safety you’re looking for. So, in this post, I’ll try to look at both sides of the issue and let the VPN user decide if it offers the degree of safety they are looking for.

The Case for Using a VPN

Just what is a VPN anyway? To understand its safety features, you first have to understand precisely what it is capable of doing.

Not all VPNs (virtual private networks) are created equal. For this reason, there are a lot of misleading diagrams of how they work. Most such diagrams don’t include the ISP, though this plays a role in all VPN-related connections. The diagram below, modified from SunVPN, is closest to depicting how a VPN actually works. (It should not be interpreted as any form of endorsement.)

vpn connection

When you connect to the internet, you do so with the help of an ISP (internet service provider). They will help you access the servers for web pages you want to look at. In so doing, they know what websites you are visiting. They routinely keep logs of such visits in case such information is needed later.

If you use a VPN, you get an encrypted connection to the VPN server that you requested. The ISP will only see that you requested a particular IP address. After you connect with the VPN server, the ISP will have no idea of what websites you are visiting. You could even connect to another VPN.

It is possible for an ISP to block you from accessing certain sites. Repressive governments frequently do this. However, if you use a VPN, they cannot block this access. This is why VPNs are used in China to visit certain websites that the government doesn’t want their citizens to see. It is also the reason why Russia is considering banning VPN use.

If you live or visit a foreign country, you may find that there are a number of U.S. sites that will not give you access. Certain YouTube videos, for example, will give you the following message.

vpn youtube

In fact, I first became aware of the benefits of a VPN when I was living in Afghanistan and wanted to download some videos for my students. I was able to spoof my IP address by using a VPN server in the U.S. to make it appear as if I was in the U.S. and everything was fine. This is called, ‘geo-spoofing’.

Your company, school, or organization may also try to restrict your browsing for any number of reasons. Perhaps, they even keep a record of where you’ve been online. Enter VPN. Now, they will only see that you connected to the VPN and nothing more.

Using free public WIFI servers is always dangerous as it leaves you open to attack. Bypassing the local servers with a VPN is always recommended.

File sharing sites offer downloads of movies, TV shows, and music via peer-to-peer sharing. Some governments frown on such ‘sharing’ and may even prosecute those who download material using these sites. In such cases, VPNs can be used to hide your identity.

Since your IP address gives away your location, companies will often target you for certain, location-specific ads. This can be annoying if you are in a foreign country and are suddenly given content in the local language rather than the language you are used to. Google has the bad habit of trying to foist their localized version on you whether you like it or not. VPNs can get around this by the same geo-spoofing techniques outlined above. At least the ads that target you will be in a language you can comprehend.

The Case Against VPNs

How much do you trust your VPN provider? The answer to this question will help you decide whether a VPN will meet your needs. Although your local ISP will not be able to see your browsing history when you use the VPN server, the VPN provider can. Many VPN providers will promise you anonymity but, again, can you trust them? It would be a relatively easy task for government agencies to learn what VPN you use and then pressure the company to hand over its records on your browsing history. If the company does not maintain such records, law enforcement can pressure them to begin recording your browsing history. Let’s face it, few VPN providers would want to risk their businesses over the browsing history of one questionable user.

When I used Skype to speak to a friend in China, I was surprised to find that it was possible. After all, Skype has been banned in China since last year. Actually, this is not really true. It seems to depend on what server you use Skype on, because, as long as the government has access to the servers in control of Skype-based communication, it wouldn’t really matter. The person I spoke to was using a VPN. On the surface, that sounded promising, but would China allow any VPN to be used that did not allow it access? In fact, China would not license any VPN that did not agree to give it access to its records. Sure, you may be able to use Skype and even a VPN from your hotel in China, but I doubt if your communication is as secret as you may think it is.

Privacy experts suggest that you do not use VPN servers located in the following countries.

U.S.
U.K.
Australia
New Zealand
Canada
France
Norway
Denmark
The Netherlands
Belgium
Italy
Germany
Spain
Sweden

Although these countries may not be considered repressive, they have all been known to spy on their citizens or pressure VPN companies for information. Of course, most people don’t worry about maintaining such a high level of privacy, but, for those who do, all VPN communications should be directed through more neutral countries. Some privacy experts claim the safest servers are located in Switzerland, Romania, or Panama, though others say that no VPN can offer complete privacy.

There are a few reasons why you may not want to use a VPN for downloading files or videos from file sharing sites. The most practical reason is that VPNs will slow down your browsing and downloading. In addition, some VPNs will block you from downloading from major file sharing sites. Also, keep in mind that whatever you download may be recorded by the VPN provider.

It is not necessarily true that a VPN will protect you from targeted ads. Some VPNs come with built-in ad programs that will try to lead you to a variety of sites. Some will also track your browsing in order to present targeted ads. Keep in mind that free VPNs aren’t providing their services just because they like you. Mostly, they make money by doing something else, like selling your personal information. This doesn’t mean they are useless for most people, but they do have limitations in terms of privacy.

For Those Concerned with Greater Privacy

Good VPNs need to be paid for. They generally cost between $3 to $5 a month. They should offer strong encryption, anonymity, numerous servers, and be located in a relatively non-repressive country. They should not keep logs of activity and should permit torrenting (P2P) connections.

Some privacy experts say that VPNs offer only promises and nothing more. They suggest using the Tor browser with a VPN for maximum privacy. Remember that all browsers offer privacy settings that can be maximized, but none are ultimately as safe as Tor. On the other hand, Tor slows down browsing.

Concluding Thoughts

Nothing you do will guarantee 100% privacy online, but for most people a good VPN will serve their needs. Although free VPNs have a number of shortcomings, they will still give basic VPN services and that’s enough for most people. However, if you have a job with an organization that could be a target of government agencies or hackers, and you are connected to its network, consider stronger security actions. Most companies and organizations will require those with connecting privileges to meet basic security guidelines. Those guidelines may or may not include the use of a VPN. In such cases, weaknesses in the VPN could be exploited by malicious actors. VPNs alone do not offer enough protection for a corporate or organizational network that is trying to protect sensitive information. More state-of-the-art architectures are needed for that.

In short, VPNs should be considered a good first step in protecting your privacy, but nothing more.

 

Posted in Uncategorized | Tagged , , | Leave a comment