How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

Creepy new smartphone surveillance tricks

One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)

It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.

What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it

The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.

The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).

Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.

Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.

Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.

For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.

Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.

Anatomy of a Phishing Onslaught

Recently Wayne State University was attacked, a small skirmish in a diffuse, ongoing cyberwar, albeit without a single, defined enemy. This is an account of what happened, why it happened, and how the university responded. I have tried to make the explanation of each event relatively non-technical, but a certain amount of geekery seems unavoidable.

On May 11, at 9:48 in the morning 182 University computers received an email message from a computer belonging to a local contractor who was doing work on the WSU campus. The message had the subject line ‘invoice’, and the text of the message said merely ‘Check invoice’. There was a zip file attached. A zip file is a data file that has been ‘compressed’ so it can travel more easily over the tight ‘passages’ of the email system. It’s a perfectly respectable way of making large files (such as pictures, pdf files and such) fit within email size limits.

However, when the recipients clicked on the file labeled ‘invoice123.zip’ it extracted into a file named ‘e9058.pdf’, which showed up on the screen as a file with an attached (blurry) image of the Adobe Acrobat logo, making it look like a real pdf. When the respondents with Windows computers (but notably not Macs or Linux machines) then ‘opened’ the pdf file, the following things happened:

  1. that person’s computer connected to some external websites
  2. from which it then downloaded additional malware, which proceded to search their computer for personal banking logins
  3. it then connected to remote ‘command and control’ servers. passing control of the computer overseas.
  4. finally it looked in the local Outlook address book and used it to send the infecting email message to addresses it found there.

It took about an hour for the first three computers to get infected, but the attack was discovered by the C&IT Security office after the second computer began spreading the virus. Between the time that the second computer was detected and when it was shut off the network, seven minutes elapsed, and during those seven minutes that computer sent out 4462 virus emails.

By the time the third computer was infected, C&IT’s security office was able to take action to stop the further spread of the virus. A set of filters on the WSU email system blocked transmission of the zip file, but by noon 150 computers had been infected, and 111 of them were sending out email with the attached zip file.

You might wonder why our Symantec antivirus software didn’t detect the infection when the attachment was opened. The answer is that Symantec (and all other antivirus systems) rely on known virus ‘signatures’ (identifying features), and this was what is known as a ‘zero-day’ attack—a brand new virus never before seen ‘in the wild’. It takes the antivirus people a day or so to develop the specific tools needed for each new virus and distribute them to their users.

In addition, because the virus relied on Outlook address books, people got email from people they knew, who did occasionally send them invoices.

The spread of the virus was effectively stopped by 11:50. Our security team isolated it and determined that it was connecting our computers to Serbia and Ukraine. The Security team then set the university firewall to block connections there, and identified all of the infected computers.

In order to clean up the infection those machines maintained by C&IT (i.e. managed by the DeskTech unit) were reformatted, and outside of the DeskTech domain local administrators were given guidance on how to clean the machines under their control.

In addition, within the DeskTech domain a program called AppLocker was turned on. This prevents computers from running software that did not have an appropriate signature, or which were installed in nonstandard places in a computer (i.e. not in Program Files). Unfortunately this broke a number of specialized programs that various people around campus relied upon, and special rules had to be written to fix this.

By the evening only a few infected computers were not yet fixed,and the original attacker used that to their advantage. Overnight new instructions were passed down to these few straggling machines, and the next day a new attack was launched, sending attachments with different names, but the same modus operandi. These were blocked within 20 minutes of the first occurrence, but to ensure no further attacks, there was a temporary block placed on all zip files sent through the email system. Since there are many legitimate uses of zip files, this block will be ended shortly.

Meanwhile, everyone who was affected was required to change their WSU passwords. Careful examination of system logs showed that four of those AccessID’s were tried from Russia (while their owners were at work on campus) but none of the logins succeeded, so apparently no passwords were compromised.

What can we learn from this adventure?

The faster the IT security guys can act the less harmful the infection. Forwarding suspicious emails to the Security Office (or dragging them to the Phishing applet in Wayne Connect) is valuable. A delay of even an additional hour could have been catastrophic for the campus.

Smooth coordination between the security office and desktop support enabled the spread of the infection to be halted quickly.

We continually remind folks not to click on attachments they don’t expect from people they don’t know. Now we need to modify this—don’t click on any attachment, regardless of sender, unless you are sure it is safe. The text of the email message should reference the content of the attachment and you should be expecting that content. If it doesn’t either phone the sender or just delete it.

Finally, if you’d like to learn more about how to resist phishing attempts, you can take the anti-phishing training we make available through Accelerate, HR’s online training system. To get there, log in to Academica, then search for ‘Accelerate’ in the search box (unless you’ve already been there, in which case it should show up in your personalized links). Start Accelerate, then Browse the Catalog, C&IT Security Awareness Program, and finally PhishProof (Part 3), Launch.

This month, learn not to get phished!

As you’ve heard, this month is National Cyber Security Awareness Month. Wayne State has decided to celebrate by helping folks develop awareness of phishing techniques. By now everyone should be familiar with phishing (note I don’t even use ‘scare quotes’ to mark the word). But even though we read about it in the papers, and online, a scary number of our colleagues got phished in the past twelve months. Some of them were tricked into getting their direct deposit checks rerouted to a pop-up bank in Nigeria (really!) while others got their computers infected and had to have them reformatted, occasionally losing the data stored on them. And yes, I’m talking about our Wayne State colleagues, not people somewhere else.

C&IT has developed a quiz designed specifically for the Wayne State community. It is intended to help you recognize the warning signs in a phishing message. We’re hoping that heightened awareness and some training (hidden in the quiz) will help protect not only you, but the entire WSU community.

We will be sending out an invitation by email to participate in the ‘survey’. Every completed quiz will be automatically entered in a drawing to win one of two prizes. Students are eligible for a $100 gift card to Barnes & Noble. Employees are eligible for a Wayne State prize pack. Winners will be notified in early November.

My next blog will include specific tips on how to recognize phishing email messages, such as hovering over any links to see whether what pops up matches the text you can see (and also whether, if it’s claiming to come from Wayne State it has a .wayne.edu address).

So watch your mailboxes for more on this topic.

Oxford University Blocks Google Docs

There was an uproar among the university IT security professionals around the world yesterday. Oxford University (yes, that Oxford) blocked access to Google Docs from its campus on Monday.

In case you haven’t heard of it, Google Docs is a very powerful online collaboration tool. You can treat it like an online word processor or spreadsheet, which you can then access from anywhere you can log in to Google (i.e. from any computer anywhere in the world, or from a tablet or smartphone).

But you can also use it to collect data from the web. You can set up a Google Docs form, which you can then publish, and people can visit it and fill out the form, and you’ll get a spreadsheet with all their data. So, for example, you could do an online course evaluation–set up some questions, give your students the URL (web address) and they can fill it out. It does not record who fills it out (assuming you’ve set it up that way), so responses are anonymous. Last semester I set up an informal mid-semester course evaluation because I was teaching a new course in a subject that was new to me (Computers and Linguistics), and the feedback was very valuable. Many faculty around the world are using it for that, and for many other purposes.

However, phishers around the world are using it for something else–they make it look like a log-in screen from the university’s Help Desk, and ask people to enter their AccessID and password. This gives them a nice database of university credentials, which can then be used to take over (in webspeak pwn) many university-based machines. They can then be used to run spam campaigns

Wayne State received such an attack a couple of weeks ago, and we advised anyone who asked us to tell Google about it. They will respond by taking the form down (there is a ‘report abuse’ button on every form)

So what happened at Oxford? The IT security folks there thought it was taking Google too long to react to complaints (a day is way too long–you could collect hundreds of sets of credentials by then), so they thought they’d teach the Oxford community a lesson by temporarily blocking all access to Google Docs. You can read their (very long, but entertaining message here). As you might expect, this caused considerable consternation on the Oxford campus, and around the world. I subscribe to a security listserv and there was a flurry of posts either approving or not about Oxford IT’s decision. It later got picked up in other university news sources, such as Inside Higher Ed and the Chronicle of Higher Education.

Take-away: phishing is getting more sophisticated. NEVER put your credentials into a link provided in an email, not even ‘from’ C&IT.

The access to your email is NOT suspended

Many people today got an email message warning them that access to their email had been suspended. This is, of course, phishing.

The message looked like this:

Phishing Email

It encourages you to click on a link which will take you to a Google Doc which looks like this:

Google Docs phishing site

Needless to say, don’t fill it inIn fact, don’t even click on the link in the first place. Unfortunately, this particular brand of phishing, which uses Google’s resources, can’t be blocked, because lots of us use Google Docs for perfectly legitimate purposes.

Ultimate lesson: never click on a link in an email and then enter your Wayne State AccessID and password. Wayne State will never send you a log-in link. Instead we will tell you to type in the address or use your bookmarks. That way you always know where in cyberspace you are.

October is National Work and Family Month and…

Filipino American History Month  (not to mention LGBT History month )
and several other months too. And October 27 is National Pit Bull Awareness Day

But, seriously, folks,  it’s also National Cyber Security Awareness Month, and C&IT is taking the occasion to ‘raise awareness’ of phishing as an internet danger.

Most people now know what phishing is: an attempt by crooks to get you to visit a website or download a file to your computer that will infect your computer (or your smartphone, or tablet) and either steal data from it or use it to send additional spam, or even help launch Denial of Service attacks.

In 2012 most users have no idea what their computer (tablet, smartphone) is doing ‘behind their backs’. For example, tiny files are deposited on your computer all the time when you visit websites (these files are called ‘cookies’, and they make it easier for you to log in to Wayne Connect, or order stuff from Amazon, or buy airline tickets). Unless you’re geeky, like some of my colleagues, you have no idea what cookies your computer might be harboring, and that’s generally not a danger.

But some websites put much more malicious items on your computer. For example, programs that snatch control of your computer and use it to send out spam. Even porn-based spam. Or the program might send out tens of thousands of messages to a particular, targeted website (say Walmart, or the White House). If enough infected computers do this, the net effect is to break the targeted website so it can’t function. These attacks are called Distributed Denial of Service (DDOS) attacks, and programs downloaded without your knowledge are used to do this.

Another way that your computer can be seized (metaphorically) is through opening attachments that are designed to do the same thing–surreptitiously put programs on your computer. And we all get messages saying things like ‘please see the attachment for important information’ or something like that.

Now, you may think you’d never fall for these tricks, but in early September several of your Wayne State colleagues did, and their computers were ‘pwned’ (cute internet slang for ‘taken over by cybercrooks’) and sent out tons of spam. As a result all of Wayne State email was marked as spam by Microsoft (who run Hotmail and its successors), and nobody at Wayne could contact anyone with a Hotmail or .msn address. Many of us were handicapped by this until we could persuade Microsoft that we were good guys after all.

So, C&IT is going to be running a campaign to teach folks how to recognize phishing messages and what to do when you receive one. And this blog entry is one of the opening salvos in that campaign. Anticipate hearing lots more about this, including an exciting contest with clever prizes.
And happy National Bullying Prevention Month.

There is no ‘WSU news forum’–don’t click!

You probably got an email from ‘Technical Support’ or ‘Helpdesk’  telling you to log-in to the WSU news forum. And there was a link. And, if you weren’t reading really closely, you didn’t notice that it didn’t have a .wayne.edu address, so you clicked on it.

If you’re lucky, as I was, nothing happened. This particular piece of phishing doesn’t seem to come with anything REALLY bad, but still, it’s a scam, so don’t get taken in.

DON’T CLICK ON IT!!!!!

New and improved phishing tricks

I received a couple of phishing emails in the past few days that struck me as more imaginative than previous versions.

One, purportedly from booking.com (a real website, incidentally), has an attached zip file (that I haven’t looked at, of course).

Here’s what the message looks like (note that the phone numbers themselves were real, and at least one of them is harmless, but I edited them anyway.):

Booking.com online hotel reservations

Booking confirmation
884358019

Date: Tuesday, 14 February 12 Adobe Inn

Dear,

We have received a reservation for your hotel.

Please refer to attached file now to acknowledge the reservation and see the reservation details: 


Arrival: Sunday, 19 February 12 Number of rooms: 1

If you have any questions regarding this reservation, please feel free to contact us. Telephone: English support 1 888 xxx-xxxx, Spanish support 1 866 xxx-xxxx; Fax 1 866 xxx-xxxx; E-mail customer.service@someplace.somewhere

Yours sincerely, Booking.com

Needless to say, I haven’t booked anything with these folks, but it would be very tempting to open the zip file just to see what this is all about.

And very dangerous. The zip file probably contains a program which will run upon being unzipped, and will infect your computer.

An even weirder one came late last week. I’ve never seen anything like it, so I’ll just copy the text here and you can enjoy…

ATTN.

Read this letter very carefully, and fail to ask how I got your
Contact because I do not want to reveal my identity, and this could be
The last one you read from me if you fail to co-operate.

I run a Cathel we have been paid to assassinate you. I have every
reason to carry out my mission cause i have been paid for it but I
decided to give you a chance and your life and that of your family
from the endless pain.

I was paid 50,000Usd to kill you.But the allegation brought to me was
not enough reason for me to just kill a person like you and make your
family suffer a very big lost .i also have your picture with me .

I will give you AFTER GUIDELINES ON WHAT TO DO NEXT, to avoid this and
save your SELF and your family. For Your Own Good, must keep to your
self BECAUSE YOU DO NOT KNOW WHO IS AGAINST YOU,I want you to keep
this as a secret until i forward you the video tape of the people that
wants you assassinated so that you can nail them down after while am
gone..

I really don’t know why i want to help you but thank your stars cause
i have killed about 65 Business men and woman withing the past two
Months. eyes are on you so don’t try anything stupid . Get back to me
as soon as you get this message so that i can tell you all to do for
the safety of your life.

NOTE:YOUR LIFE IS VERY IMPORTANT AND YOU DON’T HAVE A SECOND LIFE ACT
FAST AND WISE.

Bottom line:  don’t believe any message that asks you to phone or email anybody unless you already know who they are, and know that the addressee is correctly spelled.