I was a Messenger spoof victim

A few days ago I returned to my office after a meeting to find emails and voicemails telling me that someone was sending facebook messenger messages pretending they were from me.  The first message sent was an innocuous “Hello, how are you doing?” But if the recipient engaged it quickly turned into how I got a $300,000 government grant to pay off my bills, and tried to convince the recipient to send an email to “the agent in charge” to see if they were eligible.   I suspect if followed through it would either ask for payment of a loan application fee, or ask for credit card or other personal details.

Fortunately, it didn’t take long for my followers to realize it was a scam and not me.

This government grant scam is a known scam approach.  Typically one of two things has happened.  Either the malfeasant has hacked into my facebook account, or they took info from my public facebook presence and set up a spoof.

Some digging into my facebook profile, history, and security settings showed it was more likely a spoof than a hack.  I use strong passwords generated by a password manager for each account I have.  So it is unlikely that my password was compromised, unless there was some weakness in an app I have allowed to access facebook.  (For that very reason I allow very few apps to connect with facebook.)

But just in case, I changed my password, set up 2 factor authentication, and an email alert to notify me of questionable login attempts.  I have that set up on other platforms, but had not on facebook.  I hadn’t bothered before because I have very little personal info on facebook.  The mistake I made that allowed the spoofer to send messages to my friend list was to have my friend list open for everyone to see.  Too late for this scam, but I changed that anyway.

I also posted a message on facebook letting people know it was not me.

It is frustrating how difficult it is to report this to facebook in case they can stop (or at least make life difficult for) the spoofer.  Facebook has lots of ways to report various things – but they are all set up for very specific things – none of which worked in my situation.  Recipients can report it (there is a “report spam or abuse” option on the gear icon beside the sender’s name) – but I can’t.  There used to be a basic way to report things when they didn’t fit the methods provided – but that seems to be gone.  And it’s not just facebook that does that.  The thread one of my friends sent includes a gmail address for the “agent in charge”.  But reporting that to gmail to try and disable the address isn’t easy.  Their spoof/scam reporting method works only if you have received an email from the address – as the email header is a required field.

So how do you tell when you get a fake message, and what do you do about it?

Typical scam/phishing warnings apply. The messages are often out of character for the sender.  Or they are grammatically strange.  Or a gmail or similar generic email address is given rather than a corporate one.  Another flag is if it tries to get info or money.  If in doubt, contact the sender in another way to find out.  Facebook and other messaging platforms often have ways to report malicious communication attempts.  The victim will appreciate if you can take a minute to let them know and report it.

Cross-posted to Slaw

Will quantum computing cause encryption’s Y2K?

At the Can-Tech (formerly known as IT.Can) conference this week Mike Brown of Isara Corporation spoke about quantum computing and security.  Within a few short years quantum computing will become commercially viable.  Quantum computing works differently than the binary computing we have today.  It will be able to do things that even today’s super computers can’t.

For the most part that is a good thing.  The downside is that quantum computers will be able to break many current forms of encryption.  So it will be necessary to update current encryption models with something different.

That may not be a simple or quick exercise, given the layers and complexity of encryption.  His message was that we need to start planning for this now, and it may take an effort greater and more challenging than the one that fixed the Y2K problem.

For the record, Isara sells security solutions that are designed to be quantum computer safe.  For some validation that this really is a thing, take a look at this Wikipedia article on Post-quantum cryptography.  

Cross-posted to Slaw

Cars and the data they share

Anyone interested in cars and the data they will increasingly collect should read the article in the November Automobile magazine titled The Big Data Boom – How the race to monetize the connected car will drive change in the auto industry.

It talks about how much data might be generated (4,000 GB per day), how that sheer volume will be handled, and how it might be monetized. And the challenges of cybersecurity and privacy.

Auto makers are well aware of the privacy issues.  Challenges will include how to deal with privacy laws that vary dramatically around the world.  Will they default to the highest standard? Or will the data be valuable enough to make it worth their while to deal with information differently in different countries?

How will auto makers give drivers comfort that their information will be secure and won’t be misused?  How will they explain what info will be anonymized, and what will remain identified with the driver?

How many drivers will not be eager to share driving info with insurers and others either for privacy reasons or skepticism about what arbitrary decisions about them will be made based on that info?

For more about this topic, see this post I wrote a few months ago.  It is also on the agenda for the upcoming Canadian IT Law Association conference.

Cross-posted to Slaw

Ransomware – fix it before you Wanna Cry

The WannaCry ransomware attack of almost 3 weeks ago may be a fading memory – but we can’t forget how important it is to protect our computer systems.  This is true no matter what kind of business or organization you are.

This video does a good job of summarizing what happened.

The bottom line is that there are some basic things everyone needs to do to reduce the chances of ransomware or malware affecting us.  Unfortunately not everyone does these simple things.

They include:

  • Keeping software and patches up to date
  • Upgrade operating systems before support ends (that means you if you still use Windows XP)
  • Use up to date virus protection
  • Have effective backups
  • Educate users on what not to do
  • Use strong passwords and take advantage of security features such as multifactor authentication

Perhaps the best advice is to not dabble in security, and don’t just follow a checklist like mine above.  Effective security requires a holistic system wide approach designed, implemented, and updated by IT professionals.  Security is a whack a mole game that is constantly changing – it doesn’t follow the “Universal operating instructions” joke of “Set lever A and lever B”.

Cross-posted to Slaw

Privacy Commissioner posts new case summaries

Privacy breaches and complaints can often be resolved cooperatively.  We usually hear about the large, dramatic, far reaching breaches more so than the smaller ones that get resolved.

The privacy commissioner just released some examples.

In one example, a malfeasant social engineered some information from customer service representatives that enabled the malfeasant to contact customers and try to obtain more information that could be used for fraud.  The business investigated, contacted the individuals who may have been compromised, and took steps to reduce the chances of it happening again.

In another situation, a rogue employee took customer information which was used to impersonate the company to collect money from a customer.  The business was not very responsive to the customer complaint until the privacy commissioner got involved.   In the end the employee was dismised, the customer made whole, and steps were taken to reduce the chances of it happening again.

From a business perspective, it shows the need to take privacy complaints seriously, and deal with them quickly and effectively.

From a consumer perspective, it shows the need to be cautious when you are asked for your information – especially when someone contacts you.  And be patient when your service providers take steps to make sure you are who you say you are.

Cross-posted to Slaw.

Cloud computing: It’s all Good – or Mostly Good

A ZDNet article entitled Cloud computing: Four reasons why companies are choosing public over private or hybrid clouds makes a case for the value of the public cloud.

The reasons:

  • Innovation comes as standard with the public cloud
  • Flexibility provides a business advantage
  • External providers are the experts in secure provision
  • CIOs can direct more attention to business change

This is all good – or mostly good.

The caveat is that the use of the cloud can fail if a business adopts the cloud without thinking it through from the perspectives of mission criticality, security, privacy, and continuity.  If a business runs mission critical systems in the cloud, and that system fails, the business could be out of business.

The IT Manager no longer has to consider day to day issues around keeping software and security up to date.  But they still have to consider higher level issues.

It is important to understand what the needs are for the situation at hand.  A system that is not mission critical, or does not contain sensitive information, for example, would not require as much scrutiny as a system that runs an e-commerce site.

Issues to consider include:

  • how mission critical the system is
  • what the consequences are of a short term and long term outage
  • how confidential or personal the information is in the system
  • can the information be encrypted in transit and at rest
  • how robust the vendor’s continuity plan is
  • the need for the business to have its own continuity plan – such as a local copy of the data
  • how robust the vendor’s security is
  • does the vendor have third party security validation to accepted standards
  • does the vendor’s agreement have provisions that back these issues up with contractual terms and service levels with meaningful remedies

Cross-posted to Slaw

Privacy by Design is Crucial to avoid IoT Disasters

network-782707_1280

If anyone doubts that Privacy by Design is not a fundamentally important principle, consider these two recent articles.

This Wired article describes a hack being detailed at the upcoming Defcon conference that can easily read and type keystrokes from wireless keyboards that are not Bluetooth.  So you might want to consider replacing any non-Bluetooth wireless keyboards you have.

Security expert Bruce Schneier wrote this article entitled The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters that explains the IoT risks. The fundamental problem is that not enough attention is being paid to security for IoT devices.  This leaves a door open to situations where a hacker can, for example, easily get in to your thermostat and then use that as a connection point to your network.  Cory Doctorow of Boing Boing refers to this as a coming IoT security dumpster-fire.

Bruce describes it this way:

The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the internet. That number is about to explode.

 

Cross-posted to Slaw

Panama Papers – Points to Ponder

The Panama papers revelations are worth pondering on many levels. (This Wired article is a good summary.)

My first reaction to the high level tax evasion and corruption allegations was to blanch at the thought that someone had basically given the entire contents of a law firm’s document management system to a third party.

As a lawyer, the fact that law firm files were leaked causes me to wince. After all, solicitor-client privilege is a fundamental tenet of democratic society. Law firms take the security of their files very seriously, and getting access to this information would not be an easy task.

This has parallels to the Snowden leaks. I’ve said before that Snowden should be congratulated, not prosecuted.

But this is not the same.

Snowden leaked information about one government entity. This is a leak with personal, sensitive, and confidential information about thousands of individuals and corporations. Some of the activities exposed by the press are no doubt illegal or unethical, some may raise a debate over were the line should be between tax avoidance and tax evasion, and issues around tax havens in general.

But that does not justify this kind of breach to the press.

Unfortunately this has set a smell test where anyone who has an offshore company, or any business such as a law firm that is involved in their creation, gets unfairly tarred with suspicion.

According to press reports the journalists won’t release the actual documents to respect the privacy of the innocent. That’s good – but that shouldn’t be a decision that a journalist should have to, or should get to make.

Apple fought the FBI to keep phones secure.  In that case the end the FBI was seeking did not justify the means. That is largely because it puts the information of everyone using an iPhone at risk. So how is this leak that exposes legal files of thousands of people any different? It seems that one minute we are applauding security and privacy – and yet we now seem to be applauding a massive breach of security and privacy.

It is too easy to dismiss this as a risk that is peculiar to law firms in tax havens that are perceived to facilitate unsavoury activities. Has this perhaps put a bigger target on law firms for both inside and outside hackers?

An IT security firm told me this morning that they have been contacted by a number of law firms that are wondering what shape their security measures are in in light of the Panama Papers.

Perhaps law firms everywhere should take another look at their security measures to reduce the chances this could happen to them.

Cross-posted to Slaw

Apple fights court imposed FBI backdoor order

Apple CEO Tim Cook has taken a very public stand against an FBI request and court order to create a backdoor into the Apple operating system.  This arose from the investigation into the San Bernardino mass shooting last December.

See this article on ZDNet for more details.  And Read Tim Cook’s customer letter posted on the Apple website for a more complete explanation of Apple’s position.

Kudos to Tim Cook and Apple for this.

Security and privacy experts continue to point out that backdoors are a bad idea that cause far more harm than good.

See, for example, this ZDNet article from yesterday about a new report saying “European cybersecurity agency ENISA has come down firmly against backdoors and encryption restrictions, arguing they only help criminals and terrorists while harming industry and society.”

Cross-posted to Slaw