You’ve been hacked

images-3Someone has hijacked your Facebook account. Your Facebook Friends are receiving emails from you saying you were mugged in Paris. You have great friends; they are already wiring money to you. Other friends are getting emails from you asking them to click on this link to a hilarious new video. Your account is also spewing spam to friends of your Facebook Friends.

What do you do?

First, what you DON’T do: Don’t panic. It happens all the time. It has happened to me. And it happens to Facebook users so often that the security folks at Facebook have become adept at dealing with it.

imagesSTEP ONE: If the hacker has not already changed your password and profile information, log into your Facebook account and change your password. Your new password should be at least eight characters, preferably more, including at least one each of upper-case letters, lower-case letters, numbers, and special characters. Don’t use any words that can be found in a dictionary, English or otherwise. Don’t use birthdates, hometowns, pet’s names or any other information that can be found in your Facebook profile.

It amazes me how many people struggle to invent passwords. They can concoct elaborate and intricate lies about being late for work or school, but they freeze when asked to invent a nonsensical string of characters and numbers. So repeat after me:

I must change my Facebook password at least once a month!

Now, take the first letter of each word, and change “once a month” to 1x/mo.

Your new Facebook password is thus: ImcmFpal1x/mo!

Don’t use this phrase or password, of course. Make up your own.

Still stumped? Try the first line of one of your favorite poems. “Sing in me, Muse, and through me tell the story…” becomes Sim,M,atmtts… But we lack a number. So let’s make the password Sim,M,850BC, because we need a number and 850 B.C. is approximately when Homer lived. But you knew that.

How about a favorite line from the movies? “I’m as mad as hell, and I’m not going to take this any more!” might be shortened and modified to become: I’mng2ttam! (I’m not going 2 take this any more!).

Four score and seven years ago… In 14 hundred and 92 Columbus sailed the ocean blue … You get the drill. The longer and more complex and nonsensical the password, the less likely someone will guess it.

Okay, you’ve changed your Facebook password.

horiz_2stepSTEP TWO: Log out. Now log back in. Go to the address bar in your browser and type, www.facebook.com/hacked/, and hit enter. DO NOT go to your bookmarks bar and choose the bookmark for Facebook, because your hacker might have “redirected” it.

Log back in using your new password.

Now follow the directions that Facebook suggests.

Or, log into Facebook and go to the Help Center and click on the link, “I’ve been hacked.” Same drill.

Once you’re done, log out.

images-1Next step: Upgrade to the latest version of your web browser. Whichever one you use – Chrome, Firefox, Safari, Explorer, etc. – be sure you have the most recent iteration. Browser boffins frequently add new security features. If you’re not using the latest version of your browser, you might be leaving your back door unlocked.  I use Google Chrome, by the way.

Next step: Send a message to your friends. Tell them your account was hacked and warn them not to respond to, and not to click on any links contained in, any unread messages they might have received from you. Urge them to follow the same procedures you’ve just performed to secure your system.

Next step: Facebook offers a free, one-time virus scan. It is quite possible – especially if you use a Windows-based computer – that the Bad Guys have installed nasty software on your computer.

stay-paranoid-and-trust-no-oneAnd now here’s the most important part: Be paranoid. Is Facebook’s software really scanning my computer for viruses? Or is it scanning my computer for personal information that it can then file away and sell to advertisers? Ask yourself, by taking advantage of Facebook’s “free” antivirus scan, am I letting strangers get access to all the personal information on my computer? My bank accounts? My emails? My photo library?

Excellent! Now you’re prepared for the day, some day soon, if you haven’t received it already, when you’ll get an official-looking notice saying something like, “Facebook has detected that malicious strangers are trying to hack your Facebook account. Enter your user name and password now to upgrade to a more secure system.”

Don’t do it.

Posted in Uncategorized | Leave a comment

What’s With All The Spam?

First, apologies to my Facebook Friend Michael Swaine, and to Joy C., Michael’s FF. A recent gust of particularly odious spam had me in a foul mood. Exhibit A:

Marathon spam

I got lots of spam preying on the Boston tragedy. Anyone foolish enough to click on the blind links would have been infected with malware. To wit, Exhibit B:

Screenshot 4:17:13 10:34 AM-2

The bastards are trying to infect the victim’s computer with a poison Java file. Other variants try to dupe the victim into clicking on a link that will redirect to the hacker’s site, where the Blackhole Exploit Kit is operating. Like the face-raping creature in Alien, the exploit kit immediately latches onto the victim’s computer, analyses it for vulnerabilities, and injects various payloads that suck the computer’s blood and turn the computer into a zombie. The blood in this case might include a Facebook account and all the associated access data, and the zombified PC then begins spewing spam to everyone on the Friends list, using the victim’s identity.

So when I received this email (Exhibit C) via Facebook . . .

Screenshot 4:16:13 3:19 PM-2

. . . I posted a message on Michael’s Facebook page saying, “Friends don’t let Facebook friends spam other Facebook Friends.”

Oh, the perils of spontaneous postings. What I meant, and what I would write had I to do it over again, is, “Michael, the Facebook account of your friend Joy apparently has been hacked, and her computer is spamming all your Facebook Friends. You’re a computer wizard. Please help her.”

I don’t know Joy, but I seriously doubt she is an intentional spammer. Scummers (my term for malicious scammer-spammers, as opposed to the merely annoying Green Card spammers) somehow got control of her Facebook account, and probably her computer as well, and then used it to distribute spam to people linked directly or indirectly to her Friends list.

Perhaps you’ve received a similar message from a friend, saying something like: “Help. I’m on vacation in Paris and someone stole my wallet and passport. I hate to ask this, but because you’re a good friend … would you please send me money so I can at least eat and get a hotel until this is sorted out? I’ll pay you back …” Your friend, meanwhile, is safe at home and probably oblivious to the fact that his/her computer and email account has been hijacked. 

Michael wrote back: “I’m sure Joy didn’t spam anybody. Her account got hijacked. So help me help her: what should you do when that happens?”

Michael is the co-author (with Paul Freiberger) of Fire in the Valley: The Making of the Personal Computer, one of my very favorite books about the computer industry. He is a longtime tech writer and columnist and knows far more about bits and bytes than I do. But since he asked, my next post will be “What Should You Do When [that] Happens?”

Posted in Uncategorized | Leave a comment

North Korea nukes

Photo of Condoleeza Rice
Condoleezza Rice

I once asked an impudent question of Condoleezza Rice, the former United States Secretary of State who is now a professor of political science and political economy at Stanford University. If the Bush Administration’s justification for invading Iraq was to stop a tyrant who was suspected of trying to develop weapons of mass destruction, then why has the United States not invaded North Korea?

Flashback: In late 2002, several months before the United States attacked Iraq, President George W. Bush outlined the reasons for military action. According to a White House transcript, Mr. Bush said:

First, some ask why Iraq is different from other countries or regimes that also have terrible weapons. While there are many dangers in the world, the threat from Iraq stands alone — because it gathers the most serious dangers of our age in one place. Iraq’s weapons of mass destruction are controlled by a murderous tyrant who has already used chemical weapons to kill thousands of people. This same tyrant has tried to dominate the Middle East, has invaded and brutally occupied a small neighbor, has struck other nations without warning, and holds an unrelenting hostility toward the United States.

. . . Some ask how urgent this danger is to America and the world. The danger is already significant, and it only grows worse with time. If we know Saddam Hussein has dangerous weapons today — and we do — does it make any sense for the world to wait to confront him as he grows even stronger and develops even more dangerous weapons? … America must not ignore the threat gathering against us. Facing clear evidence of peril, we cannot wait for the final proof — the smoking gun — that could come in the form of a mushroom cloud.

. . . Failure to act would embolden other tyrants, allow terrorists access to new weapons and new resources, and make blackmail a permanent feature of world events. The United Nations would betray the purpose of its founding, and prove irrelevant to the problems of our time. And through its inaction, the United States would resign itself to a future of fear. That is not the America I know. That is not the America I serve. We refuse to live in fear. (Applause.) This nation, in world war and in Cold War, has never permitted the brutal and lawless to set history’s course. Now, as before, we will secure our nation, protect our freedom, and help others to find freedom of their own.

So why is North Korea any different than Iraq, other than the fact that North Korea — unlike Iraq –actually has weapons of mass destruction? Professor Rice bristled at the question. The decision to invade Iraq was based “on the best intelligence we had at the time,” she said. The evidence that Iraq was developing weapons of mass destruction, she said, was as strong a tranche of intelligence as she had ever seen in her career. She did not answer the question about North Korea.

My question was asked of Professor Rice in 2010. The best intelligence we had at the time was that North Korea had already tested at least two nuclear bombs, and was known to be working with Iran to develop long-range missiles and submarines capable of delivering those weapons. We knew that North Korea’s tyrant presided over a nation of famine while diverting foreign aid monies to fuel his nuclear weapons program.

Two months ago, North Korea successfully launched a missile believed to be capable of carrying a warhead more than 6,000 miles. And this week, it successfully detonated a nuclear bomb believed to be in the six- to seven-kiloton range. (The bomb dropped on Hiroshima, Japan, in 1945 was estimated at 12KT to 18KT.)

According to The New York Times, the North Korean National Defense Commission then:

. . . stated clearly, rather than implying, that its nuclear program would now be aimed at the United States — something suggested in the past, for instance, by propaganda posters showing a missile striking what looks like Capitol Hill.

“We do not hide that a variety of satellites and long-range rockets which will be launched by the D.P.R.K. one after another and a nuclear test of higher level will target against the U.S., the sworn enemy of the Korean people,” the statement said, using the abbreviation for the North’s official name, the Democratic People’s Republic of Korea.

This is not to argue for an invasion of North Korea. Rather, it is to question the real reasons we invaded Iraq, and to encourage a rethinking of how to deal with unstable states (e.g. Iran, Pakistan) that either have or are likely to develop nukes.

Photo of Kimjongilia
A Ruby Begonia by any other name … The Kimjongilia. The Kimilsungia is on the left.

A cynic would suggest that we have not invaded North Korea because, unlike Iraq, North Korea does not have oil.

But besides nuclear bombs, missiles and a brutal regime that promises to rain destruction on the United States, North Korea also has the world-famous King of Flowers, the Kimjongilia. The flower — a begonia variant – is said to bloom each year on February 16, the birthday of Dear Leader, Kim Jong-il, father of the current tyrant, Kim Jong-un. It is not to be confused with Kimilsungia, the orchid-like fuchsia flower created for North Korea’s Great Leader, Kim Il-sung. The North Korean News Agency thoughtfully took time out of its busy news schedule this week to remind us of it.

Posted in Fail, Politics | 1 Comment

Unbelievably creative attack in South Carolina

I stole this photo off the Internet using my unbelievably creative hacking skills.

In a previous post we noted that someone cracked the South Carolina Department of Revenue computer system and stole 3.6 million names and Social Security numbers, along with thousands of unencrypted matching credit card numbers. Questioned as to why South Carolina would store all that information without the basic protection of data encryption, South Carolina Gov. Nikki Haley said:

“This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it. This was a sophisticated hacker who creatively looked at the system. This was no simple breach.”

I wrote:

Really? The investigation is under way and the authorities have not yet disclosed the modi operandi of the hacker(s). But my bet is that the hacker simply pwned a state employee into giving up his or her legitimate user ID and password to the Department of Revenue database. We’ll see.

Mandiant, the information security company hired to investigate the breach, issued its report today. It concluded:

1. August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link,  unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password.

In other words, it was a simple breach. Lessons:

  • Any entity — government, commercial, private — that stores highly confidential information should encrypt the data. South Carolina did not.
  • Primates are the weakest link in any data security system. Everyone who has access to sensitive information must be trained in fundamental data security practices. Example: Do not write down your password on a sticky note and paste it to your computer. Do not click on the embedded links or open attachments in emails. Use a different password for every online site you visit. Et cetera.
  • Consumers must demand better online security practices from any company or agency that wants to store their personal data. Companies and government agencies do not like to spend the money necessary to protect customer data, and the customers pay the price.

Possessing your name, address, Social Security number, credit card number, and commonly used password — or just a few of these pieces of information — a cybercrook can steal far more from you than a burglar could get by breaking into your house. Your personal information is valuable and vulnerable. With profound apologies to Shakespeare, let’s paraphrase Iago in Othello:

Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my personal data
Robs me of that which enriches him,
And makes me poor indeed.

Too many online sites secure your personal data like this . . .

Good-Bye, Money

. . . instead of this:

Fort Knox
Posted in Fail, Quotes | Tagged , , , | Leave a comment