Top of the Ridge

Martha Berry, Ridgecrest, Sherwood Forest – Knoxville TN

   Jan 05

Criminals you won’t see

On top of the ridge, we need to be as vigilant in regards to our cyber-security as we are to the physical security of our neighborhood. Just as we watch our doors and streets, we need to ensure that we’re taking steps to secure our home-networks and computers from intrusion by the bad guys. Criminals don’t take days off or observe holidays. Moreover, they can be miles or oceans away from Ridgecrest or Sherwood Forest, hacking at our networks, sneaking into our personal files or bank accounts, stealing passwords or other sensitive information that can lead to identity theft or damage to our devices.

 

Over the next few weeks, I will post information to keep you informed of the cyber-threats that are out there and how you can protect or prevent yourself from becoming a victim. Cyber-crimes can affect everyone on a network. Especially if they haven’t kept their software and computers up-to-date.

 

Regardless of what I post or what steps you take to secure the networks or your hardware (your computer, your routers, your iPads), the single most important thing to remember is that you are the strongest defense in preventing a compromise. I’m speaking of “AWARENESS”. You know? If it looks like a duck, walks like a duck and quacks like a duck, it’s probably a duck.

 

The single biggest threat that we’re exposed to are phishing emails. Those emails you receive that ask you to click on a link to verify your accounts or your passwords. Nothing can prevent you from clicking on that link – no software, no firewall, no virus or malware protection. You click. It’s done.

 

These links can take you to a website where you may see something that “looks” like Yahoo! or Facebook. Meanwhile, a trojan or malware is installed to your machine and starts its work: installing software that monitors your actions or keystrokes and reports them back to a central computer. It’s that quick. Your malware detection software “may” detect it. It may not. If it’s a “Zero-day” exploit, chances are that it won’t.

 

In some cases, these little boogers [<-technical term] can turn on your built-in camera or microphone and record what’s going on. You might as well invite a stranger into your house to shoulder-surf while you put in your American Express number or your PayPal password.

 

I don’t mean to imply that there aren’t legitimate emails that ask you to verify this or that. There are. These “phish” emails can come from someone you know because they have unknowingly clicked on the evil link and compromised their machine, allowing their entire contact list to be harvested and used to attack their contacts, spreading the venom. The name on the email may say “Bob Hillhouse” or “First Tennessee Bank” but the address is something like 123%865@yahoo.com or wneic@hotmail.com. You should never be asked to divulge your login information to ANYTHING by ANYONE.

 

What can you do? Inspect the email. Look at the return email address. Did it come from a known address? Did it get filed in your Spam or Junk folder? Scroll over the link in question and see if it goes to a legitimate address (e.g. https://www.firsttennessee.com versus http://somestrangeaddress.de) If you really want to verify it, brush the cobwebs off the phone and do it the old-fashioned way: call them and ask them if they sent it.

 

Some definitions you may not know:

 

botnet – a collection of internet-connected computers whose security defenses have been breached and control ceded to a 3rd party. Each such compromised device, known as a “bot”, is created when a computer is penetrated by software from a malware distribution.

 

compromise – To reduce the quality, value, or degree of something. To expose or make liable to danger, suspicion, or disrepute.

 

firewall – a device or application whose primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set.

 

malware – short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

 

phishing – the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

 

shoulder-surfing – In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.

 

trojan – a malicious application that masquerades (remember the Spartans?) as a legitimate file or helpful program but whose real purpose is, for example, to grant a hacker unauthorized access to a computer.

 

you – the best defense against cyber-crime

 

Zero-Day Exploit – one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply