Saturday 28 September 2013

Cyber Prepper 101

Quick! Your Facebook account's just been hacked and you're locked out of it, and to top it off, a malicious SMS has just erased your mobile.

In a situation like this, would you know anyone's contact details? Would you know what you're doing? In short, can you imagine anything worse? In short, are you prepared for a failure of online life? 

Why bother, is perhaps the first question you may be asking. Well, how about I give you a few thoughts I've been slowly mulling over, and then you decide?

1. Your Online And Mobile Accounts Are An Increasingly Tasty And Tempting Target.
As the number of users of online technology climbs, the sheer volume of targets makes the law of numerical statistics applicable. If hackers can successfully fool one tenth of a percent of the billions of users into revealing account details, or pay $5 for a packet of Viagra that never arrives, you just need to remember that 0.01% of 1,000,000,000 is still 100,000. If you only reach half a billion people with your trojan or your scam email, and one tenth of a percent of those strikes, you've still fleeced 50,000 people.

Also, because we're so increasingly an online society, your mobile phone and email and Facebook accounts will hold more contact details that hackers will exploit. Again, if they can just crack ONE account with all their phishing, that might now give them several hundred email and phone contact details of people that trust you and would probably open an email attachment if they thought you sent it...

2. The Amount Of Computing Power Available To Malicious People Is HUGE And Getting More Powerful All The Time.
There are cloud computing places that are super cheap to use and which provide a hacker with all the password-cracking power they need. There are small graphics-card array based supercomputers that can be leased, or built up by a reasonably savvy hacker. Any one of these advances in technology means that a hacker can be crunching away at more accounts per minute than ever before.

When you consider that some poor luckless bastard has probably had their bank or Paypal account hacked and is the one paying for the extra computing power, the hacker is not going to worry about computer CPU time costs...

3. That Of Course Isn't The Only Two Factors. How About Government Sponsored Hacking?
The biggie - if I were a terrorist country's government, I'd be hacking away at the big utility and government accounts of other countries like crazy. That's a given. Movie scriptwriters have had a field day with showing how vulnerable we are to a determined group of hackers.

But. Hackers need finance. The need money to pay for their computers, online time, cloud computing, and so forth. And the easiest way to get that is still to scam YOU.

So you can add government-supported criminals to the list of DIY hackers and the larger crime organisations that are using spam and phishing as a second income stream. It's all a bit bleak.

4. Never Mind Direct Hacking, Infrastructure Hacking Might Result In The Same Scenario For Us.
Even if these people never directly hack or phish you, there are ways their activities will affect you. If there's no electricity (to cherrypick the most glaring and obvious example) then your PC or laptop or mobile phone will stop working, the ISP server rooms and telecom exchanges and cell towers will go dark when their fuel runs out, and the end result for you will be the same - loss of all your contacts and data that's online.

A more subtle Infrastructure hack might see the telecom cell towers sending out erasure signals to all mobile phones. (Yes, it can be done.) In the ensuing chaos as everyone struggles to remember phone numbers and reinstate their contact lists, you can learn an awful lot about who's connected to who, which people are most likely to hold trust for you and so forth. You can, in short, build a social graph of trust connections. And then exploit those to extract more phishing info.

To a foreign government or body, these kinds of data could be invaluable for building up a plan of attack. For a large corporation, the data uncovered could lead to all sorts of advantages.

The Upshot Is That Your Account Is A More Valuable And Attractive Target To An Ever Increasing Pool Of Criminals Every Passing Day.

So that kind of says (to me) that no matter what, if I stay online and keep a mobile phone, then I'll begin to experience an steadily increasing number of attacks, of increasingly greater sophistication. It doesn't matter which web service I have an account on, it's going to be under more and more pressure from hacking. No matter how careful I am about email, there's going to be one that slips past my discriminating examination and gets opened.

Unless all our technology takes a quantum leap in security overnight, it means I'll almost certainly have some of my personal details (an account screen name and password, a UID and key, or other detail) stolen off some site or other and used to probe my other property online. My best hope is to present as little opportunity to the infiltrator as possible.

Strategies To Minimise Opportunity For Hackers And Phishers.

Make sure you at least have a different password on each site you visit. It's a pain in the arse but it's less of a pain than someone gaining control of every account where you use the same email, password, and/or other identifying information.

One of the strategies I've read about and to some degree implement is to have a different email address for every online property you have, and a different password, and a different screen name. This means that if a phisher gets your email address and password to a social networking site, their next standard procedure becomes useless. (The next standard procedure is to try that email / password combination on financial websites, other social networking sites, ebay and other retail sites, and any other site that might turn a profit for the perpetrator.)

If keeping all those email addresses and their passwords is difficult, I suggest getting a password keeping utility or a notebook. And then set up each email to forward a copy of any email it receives, to your favoured email provider. (It's important to only send a copy, becaue if your favoured primary email gets hacked, you still need to know what's been happening on other properties.)

In order to minimise the damage a hacker can do, list every property you have online. Do you have documents that are important and that hold other identifying information or other account details? Maybe those had better come offline onto a DVD or USB device and the online version overwritten with a less harmful one.

Are there documents and emails that you need and which would be quite disruptive if you lost access to them? Same for those. How about things you'd rather your family and friends didn't get to see? Save them locally and overwrite the online copies with less harmful versions.

Are your facebook contacts only available to you on facebook? Then you need to find a way to save them (and groups you're in, pages you follow, etc) somewhere else, preferably on that USB device.

All your email contacts, are they backed up somewhere? If not, find a way to back them up.

Now to your mobile - can you download the contacts out of it? If so, then do it. Do that for all the texts and photos, and while you're doing it, have a good hard think about the fact that a hacker can do that exactly as easily as you just did it...

One thing I don't advocate is the "change passwords often" policy. Change your passwords (and update your password keeper notebook or software!) as often as you think necessary, and as soon as possible after you regain control of a hacked online property.

But if someone is running a dictionary and brute force attack on one of your accounts, changing the password from "freebledweeble" to "@n0R@k" won't make a lot of difference unless you manage to change it at the precise instant before the brute force software decides to try "freebledweeble"...

If your passwords are good, and different on every site, then they can probably hold out as well as any other password.

So The Unthinkable Happened, I've Been Hacked. What Now?

This is where a little bit of preparedness can help. Those backups, they will help a lot. The recovery scenarios can be of a wide range, you can, for example, get the property back completely untampered. In the worst case, you won't even know you've been compromised, and frankly, any hacker that can do that is way too good anyway. Since you in this case have no way of knowing, then it follows it hasn't affected your life in any way. (Since any other scneario - "oh, my Paypal has been used to buy a laptop in China!" would lead you to the conclusion that you know the account's been hacked.)

The more common scenario is that the provider of the online property themselves will inform you that your account may have been compromised. In this case, change the password (through the normal channels, not through any claimed "online security review" link in the email or information. If the hacker has changed the password, use your normal channels to contact the provider and regain your property.

Once you have control back and are pretty sure you didn't just give the new password to the very hacker that compromised it in the first place, go and check that all your data are still there. If this is an email or social media account, check with your contacts that you haven't sent out any weird communications, and tell them all to ignore anything you may have sent during the period the hacker had control of your account. You may save someone else the experience.

In some cases you may get the property back with corrupted data. Some hackers will do this because it can often hide how many other people they tried to compromise. If you have backups, this will help you to recover your data and (if necessary) warn your contacts that they may also have been targeted.

In the case of the phone, check the manufacturer's website, they often have utilities that will help restore contacts and messages and data - if you backed them up, that is - and that should see you back in operation in very short order.

In the case of websites, I've found that many allow you to download and backup your data, but very few have a restore function... In which case, you're either stuck with manually re-entering and uploading all the data, or emailing their tech support to ask for a tool to restore the account.

In the most extreme of cases, you may never get your property back. The hackers my corrupt the account beyond useability, or the provider may not have any methods in place for returning / restoring accounts, or any of a number of other reasons. The point is - do you want such a piece of shit? If you do, and you can't get that same account back, then you may be stuck with making a new and almost identical account (remember to use a different email address to the last account, too) and repopulating that with the data you saved.

SUMMARY:

With an increase in the amount of computing power available to Bad People, an increasing reliance on online communications, data, and business, and an increasing number of people using these, it's inevitable that phishing, hacking, infrastructure and organisational network compromise, will all increase at an exponential rate.

This makes it very likely that at least one of a person's online properties will at some stage be hacked.

Therefore, it makes sense to ensure that one hack won't compromise all one's other online properties, by making sure they aren't all using the same email, UID, and password as their secure key.

The other thing we should aim for is that if a property is deleted or otherwise corrupted, that we have a backup recovery plan.

Visit Ours From The Heart Art and help support my work!

No comments: