Distributed Denial of Service

bot·net
ˈbätˌnet/

noun

Computing
noun: botnet; plural noun: botnets
  1. a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages. Combination of the words “Robot” and “network.”

If you noticed a disruption of the internet last week, it was due to a virus that created a botnet of such things as internet-connected video cameras and other “Internet of Things” (ioT) devices. many of these devices have weak security at best, and to make things worse, the security is hard-wired into them, making it impossible to change without a redesign.

When an outside, malicious force takes control of these devices, they can then be aimed like a laser at whatever server is the target of the hacker’s wrath. In this case, something like 500,000 devices were compromised. When that many devices start sending data to one target, the target gets completely overwhelmed, and if it’s not completely knocked offline, becomes glacially slow in the attempt to deal with such an abnormal volume of traffic. This is what is known as a Distributed denial of Service (DDoS) attack.

This one of the many reasons I’m not too thrilled with the direction technology is going. I’m afraid it will not only make us vulnerable, but it may make us lazy and stupid as well.

As Gerald Weinberg said, “If builders built houses the way programmers wrote programs, the first woodpecker to come along would destroy civilization.”

https://thegizmologist.wordpress.com/2015/10/15/rise-of-the-machines/

http://www.pcworld.com/article/3134056/hacking/an-iot-botnet-is-partly-behind-fridays-massive-ddos-attack.html#tk.rss_all

Visit my Store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Advertisements

Facebook – Risk and Reward

I don’t use Facebook. (I hear a gasp of disbelief!) Why not? I can’t think of a good reason to. I prefer to do my “social networking” face-to-face. The problem with Facebook and other such sites is that whatever you put on the internet is there forever, for anybody who wants to look – not just your “friends.” This is why criminals have been caught when they gloated on Facebook, homeowners have been burglarized when they posted their vacation plans, wives have discovered their husband’s affairs, and employees have been fired over that “whimsical” photo of them smoking dope that they forgot about. Can you say “Oversharing?”

And, just in case you’ve run out of things to worry about, a new study finds that people who use social networks are four times as likely to have their identity stolen! Now, as the statisticians are fond of saying, “Correlation does not equal causation.” What that means in English is we don’t know if these people had their identity stolen because they use social networks, or if their social network use is a symptom of something else they do that puts them at risk.

do know that the internet has a tendency to encourage people to share the most intimate details of their lives online, apparently never realizing the dangers when their dates of birth, addresses, mother’s maiden name, schools, previous addresses, sometimes even their social security numbers, are out there for anybody to find. And that’s even without the possibility – make that probability – of a data breach. You might also consider who you keep as a “friend.” Treating Facebook as a popularity contest is only going to make you more vulnerable.

Nobody but your closest family needs to know such things as your favorite color or your first pet’s name. The only way to mitigate the risk is think twice anytime you’re asked for personal identity information – even if a police officer asks you for your social security number, you can politely decline. Especially if a police officer asks you for a DNA sample! Yes, it’s been happening, to people not charged with any crime, because certain government agencies just can’t seem to collect enough data to satisfy them, Constitution be damned!

By the way, don’t forget to vote on November 8th. Your question should be, “Do I want more of the same, or am I willing to chance something different?” Personally, I think “More of the same” will destroy this country.

Yes, using more social networks raises your risk of ID theft — a lot, says ID Analytics.

Visit my Store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Windows Help desk?

When the Waste Material hits the Rotary Ventilator (Something horrible happens to your computer), panic and the urge to do anything to get it fixed is a likely first reaction. Some folks will commence a Google search for a support number or website. The “Windows Help Desk” you arrive at may actually be nothing more than a den of thieves! (By the way, Microsoft’s site is called the Answer Desk, not the Windows Help desk.)

This can be very dangerous, both to your computer, your identity, and your wallet. There are plenty of “support” sites out there that purport to be “Official,” when in reality they are anything but. The best of these may be able to perform a fix, but at an outrageous cost when you might have been able to do it for free. The worst, on the other hand, may take your money, your private data, and your identity, and still leave you with a broken computer – maybe even turning it into a “Zombie,” sending spam and doing work for the bad guys.

I’ve told you before about pop-ups from poisoned websites that will tell you your computer is infected, blah, blah, blah, and to not take any of them seriously. Well, the same goes for support services advertising themselves on the internet. Bad guys know how to manipulate search results so that their sites float to the top. It’s very important to know that you’re using the real site when you look for support. For instance, if you have a Dell, go straight to Dell.com, HP.com for HP machines, and so on for other manufacturers. All the top manufacturers have a Support section on their websites. Microsoft.com is your go-to site for problems with Windows.

When things go awry, start with the fix-it-yourself and automated solutions offered through official support venues such as https://support.microsoft.com, your PC maker’s support site, and from trusted third-party sources.

The Web of Trust browser add-on I’ve talked about before is also a great help for ferreting out some of the scammers.

If you must venture further afield for online help, take the time to run a whois query on unfamiliar support sites. That’s especially the case for sites that want credit-card or other personal information, or that request remote access to your PC. Also run a general Web search to see what others have to say about the resource or company.

Visit my Store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

 

Hacking a Pacemaker??

 Connectivity equals vulnerability.

What does that mean? It means that the more ways a device can connect to the outside world (interface), the more vulnerabilities it has to unauthorized access. As an analogy, you have very little chance of being hit by a bus if you stay in your house. But you can’t stay in your house forever. The problem then becomes managing the risk/reward equation.

Medical devices usually have a very favorable risk/reward scenario: They unquestionably save lives – most of the time. But, as with everything else in our increasingly complex world, people want them to be wirelessly connected for convenience.

This is particularly important for implanted medical devices such as pacemakers and insulin pumps. Cutting a patient open every time you need to change the settings is painful, expensive, and dangerous, so modern implantable devices use some sort of wireless system. The doctor simply uploads new software to the device in a matter of minutes without bloodshed.

But… What happens if someone else gains access to the device? Someone with nefarious intent? Like many other devices, these things can be vulnerable to outside connections, and, once inside, it’s possible to alter them, with conceivably fatal consequences.

As mentioned in a previous post about the so-called “Internet of Things,” many of these products have gaping security holes, sometimes with no way to update them short of getting a new device. The code they run on is usually proprietary, which means it’s very difficult for security researchers to tease out problems – and the Digital Millennium Copyright Act might even make it illegal!

Former Vice President Dick Cheney even had the wireless capability on his pacemaker disabled to forestall a possible attack of this sort.

Unfortunately, Barnaby Jack, one of the primary researchers into these vulnerabilities suddenly died in 2013, under slightly mysterious circumstances. Of course, conspiracy theories abound. Hopefully, others will pick up where he left off.

http://www.cnn.com/2013/10/20/us/dick-cheney-gupta-interview/

Go Ahead, Hackers. Break My Heart

http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#25cb957813e0

http://www.komando.com/happening-now/371417/pacemaker-hacking-fears-rise-based-on-critical-research/all

Visit my Store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Speak Up!

Reading online reviews is a great way – most of the time – to help with the decision-making process when purchasing a product or service.

Some merchants, however, really take it personally when someone posts a negative review. Some even have, buried deep within their terms of service (Who reads those??), a so-called non-disparagement agreement. What does that mean? It means that if you bad-mouth the product or service, they could sue you for breach of contract.

Even if the review in question is not false or defamatory (“The phone didn’t really live up to my expectations…”), this could still happen. The dictionary defines disparagement as “To bring discredit or reproach upon; to lower in credit or esteem.” That could be interpreted as virtually anything other than wholehearted praise!

A couple recently was dissatisfied with a pet-sitting service and aired their complaint on Yelp. The company first sent them a cease-and-desist letter, and when the couple refused to take down the review, the company sued.

This sort of suit is called a “Strategic Lawsuit Against Public Participation” (SLAPP), used to stifle such complaints. This could be viewed as curtailing freedom of speech, however, some courts have ruled that if you accept the agreement (which you probably haven’t read!), you are voluntarily waiving your first amendment rights.

Yet another reason to read stuff carefully before you sign or click that “Accept” button!

http://www.jaburgwilk.com/news-publications/what-is-a-non-disparagement-clause-and-why-you-may-not-want-to-sign-one

Yelp review cost this man $1 million

Visit my Store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

 

You Owe us A Zillion Dollars!

Yet another in the seemingly endless series of phone or email scams has surfaced – That of the “Phantom Debt Collector.” Just like the other scams that ask you to pay a fine or you’ll be arrested for child porn or some such, these play on sometimes legitimate fears that you may have an unpaid debt somewhere in your past, particularly if you’ve ever applied (even if you didn’t actually get it) a payday loan or similar product.

They often reference some small debt of a few hundred dollars, and sometimes threaten legal action if the debt is not immediately paid. The threats may look something like this; Note the bad grammar.

If you fail to respond us the Charges will be pressed against the name are:

1. Violation of federal banking regulation act 1983 (C)

2. Collateral check fraud

3. Theft by deception (ACC ACT 21A)

NOTE: THIS CASE IS UNDER INVESTIGATION UNDER MAJOR CREDIT BUREAUS.

Again, like all suspect emails – and phone calls – Ask for details; in other words, demand proof that you owe the money. Ask for an address and phone number. Try calling the company back. Check your credit report at annualcreditreport.com – Any legitimate outstanding debts should show up.

If you know you don’t owe anyone anything, just mark the email “Junk” and don’t click any links or respond. If you have any doubts, don’t click the links either – call the company and ask for documentation.

Why do people do this? Because it works! It’s not too hard to scare people into paying up when the fear of legal action is dangled over their heads.

When I asked alleged phantom debt collector for comment, I was told I owe $935.76.

Phantom debt collector comes after me, again (here’s what those emails look like)

Visit my Store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Email Error message?

 Recently I received an email from a friend with this text:
Unable to display full e-mail.
You will see it when clicking on here (Link removed!)

Gmail error messageID: ca16180 (Tue Aug 23 6:02:36 2016)

That looked very suspicious to me. Notice the stilted grammar. Google (gmail’s provider) can afford to hire people that write better English.

The scariest part was where the link went: A page that looked exactly like Gmail’s login page, with my email address already filled in, and a message saying, “Session expired, please log in again.” Looking at the address bar on my browser (The topmost bar on all web browsers where you’re supposed to type web addresses), the address was not anything like a Gmail address!

Gmail’s web address is gmail.com. Nothing else. But for those who do not pay attention (most of us, at times, especially in the middle of the night!), that would be easy to overlook. If I had entered my password on that page, my email account would have been instantly compromised.

My friend had somehow had his email credentials compromised, and someone (who sent emails at 3:00 AM) was sending these to everyone in his address book. The sad thing is that some of the folks who received it fell for it, and had some of their bank accounts compromised, resulting in a big, expensive mess.

There are a few takeaways from this ugly experience:

  1. Don’t click links in emails unless you absolutely trust the sender! Even then (I trusted my friend who sent this, but I also know how easily email can be spoofed), hover your mouse over the link, and the actual place that link will take you will show up at the very bottom left of your browser window (Try it on the links below to see what I mean). Links in my newsletters, for instance, will go to an address that starts with “thegizmologist,” or they will be links to legit news articles.
  2. When you do the above, very long links with a lot of letters and numbers may be suspect. Sometimes they’re just for tracking purposes (like the links in my newsletters), but they can also lead to dodgy sites. The most important part of the link is the first part. For instance, my last week’s newsletter had this link: http://thegizmologist.us3.list-manage.com/track/click?u=11efdf6ca8a769d5396ea79d1&id=cdcffd9833&e=de6476a54e  That’s long with a lot of letters and numbers, but the first part is clearly “thegizmologist.” The rest is just for tracking, so I’ll know if they’re getting read.
  3. Your email password is more important than you think! Ponder, for a moment, what happens when you forget your password to a site: When you click “forgot password” (usually), you are directed to enter your email address, and your password reset will be emailed to you! This means that if someone has access to your email, they also have access to many of your other passwords. If it’s someone you know, Like an ex-spouse or angry boyfriend, they probably also know the answers to your security questions!
  4. If you know the web address you want to visit, type it in the address bar, not the search box. Search results can be easily manipulated.
  5. Any unusual or out-of-character message from a friend should be instantly suspect. Call the friend to see if they actually sent it.
  6. Your reaction to any unusual message that purports to come from a site you frequent should be to close your email and visit the site by typing the address, or use your bookmarks (favorites in Internet Explorer and Edge)
  7. Get to know, intimately, the look of your log-in pages. Gmail, for instance, has never given me a message about “session expired.” Look with deep suspicion at anything out of the ordinary. Look at the address bar to be sure you’re actually at the site you think you’re at.
  8. Install the Web of Trust in all browsers you use. It’s not foolproof, but it is helpful.

https://www.credit.com/personal-finance/4-tips-for-better-internet-safety/

Visit my store for cool gifts and gadgets

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!