What do you do?

First, what you DON’T do: Don’t panic. It happens all the time. It has happened to me. And it happens to Facebook users so often that the security folks at Facebook have become adept at dealing with it.

STEP ONE: If the hacker has not already changed your password and profile information, log into your Facebook account and change your password. Your new password should be at least eight characters, preferably more, including at least one each of upper-case letters, lower-case letters, numbers, and special characters. Don’t use any words that can be found in a dictionary, English or otherwise. Don’t use birthdates, hometowns, pet’s names or any other information that can be found in your Facebook profile.

It amazes me how many people struggle to invent passwords. They can concoct elaborate and intricate lies about being late for work or school, but they freeze when asked to invent a nonsensical string of characters and numbers. So repeat after me:

I must change my Facebook password at least once a month!

Now, take the first letter of each word, and change “once a month” to 1x/mo.

Your new Facebook password is thus: ImcmFpal1x/mo!

Don’t use this phrase or password, of course. Make up your own.

Still stumped? Try the first line of one of your favorite poems. “Sing in me, Muse, and through me tell the story…” becomes Sim,M,atmtts… But we lack a number. So let’s make the password Sim,M,850BC, because we need a number and 850 B.C. is approximately when Homer lived. But you knew that.

How about a favorite line from the movies? “I’m as mad as hell, and I’m not going to take this any more!” might be shortened and modified to become: I’mng2ttam! (I’m not going 2 take this any more!).

Four score and seven years ago… In 14 hundred and 92 Columbus sailed the ocean blue … You get the drill. The longer and more complex and nonsensical the password, the less likely someone will guess it.

Okay, you’ve changed your Facebook password.

STEP TWO: Log out. Now log back in. Go to the address bar in your browser and type, www.facebook.com/hacked/, and hit enter. DO NOT go to your bookmarks bar and choose the bookmark for Facebook, because your hacker might have “redirected” it.

Log back in using your new password.

Now follow the directions that Facebook suggests.

Or, log into Facebook and go to the Help Center and click on the link, “I’ve been hacked.” Same drill.

Once you’re done, log out.

Next step: Upgrade to the latest version of your web browser. Whichever one you use – Chrome, Firefox, Safari, Explorer, etc. – be sure you have the most recent iteration. Browser boffins frequently add new security features. If you’re not using the latest version of your browser, you might be leaving your back door unlocked.  I use Google Chrome, by the way.

Next step: Send a message to your friends. Tell them your account was hacked and warn them not to respond to, and not to click on any links contained in, any unread messages they might have received from you. Urge them to follow the same procedures you’ve just performed to secure your system.

Next step: Facebook offers a free, one-time virus scan. It is quite possible – especially if you use a Windows-based computer – that the Bad Guys have installed nasty software on your computer.

And now here’s the most important part: Be paranoid. Is Facebook’s software really scanning my computer for viruses? Or is it scanning my computer for personal information that it can then file away and sell to advertisers? Ask yourself, by taking advantage of Facebook’s “free” antivirus scan, am I letting strangers get access to all the personal information on my computer? My bank accounts? My emails? My photo library?

Excellent! Now you’re prepared for the day, some day soon, if you haven’t received it already, when you’ll get an official-looking notice saying something like, “Facebook has detected that malicious strangers are trying to hack your Facebook account. Enter your user name and password now to upgrade to a more secure system.”

Don’t do it.

I got lots of spam preying on the Boston tragedy. Anyone foolish enough to click on the blind links would have been infected with malware. To wit, Exhibit B:

The bastards are trying to infect the victim’s computer with a poison Java file. Other variants try to dupe the victim into clicking on a link that will redirect to the hacker’s site, where the Blackhole Exploit Kit is operating. Like the face-raping creature in Alien, the exploit kit immediately latches onto the victim’s computer, analyses it for vulnerabilities, and injects various payloads that suck the computer’s blood and turn the computer into a zombie. The blood in this case might include a Facebook account and all the associated access data, and the zombified PC then begins spewing spam to everyone on the Friends list, using the victim’s identity.

So when I received this email (Exhibit C) via Facebook . . .

. . . I posted a message on Michael’s Facebook page saying, “Friends don’t let Facebook friends spam other Facebook Friends.”

Oh, the perils of spontaneous postings. What I meant, and what I would write had I to do it over again, is, “Michael, the Facebook account of your friend Joy apparently has been hacked, and her computer is spamming all your Facebook Friends. You’re a computer wizard. Please help her.”

I don’t know Joy, but I seriously doubt she is an intentional spammer. Scummers (my term for malicious scammer-spammers, as opposed to the merely annoying Green Card spammers) somehow got control of her Facebook account, and probably her computer as well, and then used it to distribute spam to people linked directly or indirectly to her Friends list.

Perhaps you’ve received a similar message from a friend, saying something like: “Help. I’m on vacation in Paris and someone stole my wallet and passport. I hate to ask this, but because you’re a good friend … would you please send me money so I can at least eat and get a hotel until this is sorted out? I’ll pay you back …” Your friend, meanwhile, is safe at home and probably oblivious to the fact that his/her computer and email account has been hijacked. 

Michael wrote back: “I’m sure Joy didn’t spam anybody. Her account got hijacked. So help me help her: what should you do when that happens?”

Michael is the co-author (with Paul Freiberger) of Fire in the Valley: The Making of the Personal Computer, one of my very favorite books about the computer industry. He is a longtime tech writer and columnist and knows far more about bits and bytes than I do. But since he asked, my next post will be “What Should You Do When [that] Happens?”

I once asked an impudent question of Condoleezza Rice, the former United States Secretary of State who is now a professor of political science and political economy at Stanford University. If the Bush Administration’s justification for invading Iraq was to stop a tyrant who was suspected of trying to develop weapons of mass destruction, then why has the United States not invaded North Korea?

Flashback: In late 2002, several months before the United States attacked Iraq, President George W. Bush outlined the reasons for military action. According to a White House transcript, Mr. Bush said:

First, some ask why Iraq is different from other countries or regimes that also have terrible weapons. While there are many dangers in the world, the threat from Iraq stands alone — because it gathers the most serious dangers of our age in one place. Iraq’s weapons of mass destruction are controlled by a murderous tyrant who has already used chemical weapons to kill thousands of people. This same tyrant has tried to dominate the Middle East, has invaded and brutally occupied a small neighbor, has struck other nations without warning, and holds an unrelenting hostility toward the United States.

. . . Some ask how urgent this danger is to America and the world. The danger is already significant, and it only grows worse with time. If we know Saddam Hussein has dangerous weapons today — and we do — does it make any sense for the world to wait to confront him as he grows even stronger and develops even more dangerous weapons? … America must not ignore the threat gathering against us. Facing clear evidence of peril, we cannot wait for the final proof — the smoking gun — that could come in the form of a mushroom cloud.

. . . Failure to act would embolden other tyrants, allow terrorists access to new weapons and new resources, and make blackmail a permanent feature of world events. The United Nations would betray the purpose of its founding, and prove irrelevant to the problems of our time. And through its inaction, the United States would resign itself to a future of fear. That is not the America I know. That is not the America I serve. We refuse to live in fear. (Applause.) This nation, in world war and in Cold War, has never permitted the brutal and lawless to set history’s course. Now, as before, we will secure our nation, protect our freedom, and help others to find freedom of their own.

So why is North Korea any different than Iraq, other than the fact that North Korea — unlike Iraq –actually has weapons of mass destruction? Professor Rice bristled at the question. The decision to invade Iraq was based “on the best intelligence we had at the time,” she said. The evidence that Iraq was developing weapons of mass destruction, she said, was as strong a tranche of intelligence as she had ever seen in her career. She did not answer the question about North Korea.

My question was asked of Professor Rice in 2010. The best intelligence we had at the time was that North Korea had already tested at least two nuclear bombs, and was known to be working with Iran to develop long-range missiles and submarines capable of delivering those weapons. We knew that North Korea’s tyrant presided over a nation of famine while diverting foreign aid monies to fuel his nuclear weapons program.

Two months ago, North Korea successfully launched a missile believed to be capable of carrying a warhead more than 6,000 miles. And this week, it successfully detonated a nuclear bomb believed to be in the six- to seven-kiloton range. (The bomb dropped on Hiroshima, Japan, in 1945 was estimated at 12KT to 18KT.)

According to The New York Times, the North Korean National Defense Commission then:

. . . stated clearly, rather than implying, that its nuclear program would now be aimed at the United States — something suggested in the past, for instance, by propaganda posters showing a missile striking what looks like Capitol Hill.

“We do not hide that a variety of satellites and long-range rockets which will be launched by the D.P.R.K. one after another and a nuclear test of higher level will target against the U.S., the sworn enemy of the Korean people,” the statement said, using the abbreviation for the North’s official name, the Democratic People’s Republic of Korea.

This is not to argue for an invasion of North Korea. Rather, it is to question the real reasons we invaded Iraq, and to encourage a rethinking of how to deal with unstable states (e.g. Iran, Pakistan) that either have or are likely to develop nukes.

A cynic would suggest that we have not invaded North Korea because, unlike Iraq, North Korea does not have oil.

But besides nuclear bombs, missiles and a brutal regime that promises to rain destruction on the United States, North Korea also has the world-famous King of Flowers, the Kimjongilia. The flower — a begonia variant – is said to bloom each year on February 16, the birthday of Dear Leader, Kim Jong-il, father of the current tyrant, Kim Jong-un. It is not to be confused with Kimilsungia, the orchid-like fuchsia flower created for North Korea’s Great Leader, Kim Il-sung. The North Korean News Agency thoughtfully took time out of its busy news schedule this week to remind us of it.

In a previous post we noted that someone cracked the South Carolina Department of Revenue computer system and stole 3.6 million names and Social Security numbers, along with thousands of unencrypted matching credit card numbers. Questioned as to why South Carolina would store all that information without the basic protection of data encryption, South Carolina Gov. Nikki Haley said:

“This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it. This was a sophisticated hacker who creatively looked at the system. This was no simple breach.”

I wrote:

Really? The investigation is under way and the authorities have not yet disclosed the modi operandi of the hacker(s). But my bet is that the hacker simply pwned a state employee into giving up his or her legitimate user ID and password to the Department of Revenue database. We’ll see.

Mandiant, the information security company hired to investigate the breach, issued its report today. It concluded:

1. August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link,  unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password.

In other words, it was a simple breach. Lessons:

• Any entity — government, commercial, private — that stores highly confidential information should encrypt the data. South Carolina did not.
• Primates are the weakest link in any data security system. Everyone who has access to sensitive information must be trained in fundamental data security practices. Example: Do not write down your password on a sticky note and paste it to your computer. Do not click on the embedded links or open attachments in emails. Use a different password for every online site you visit. Et cetera.
• Consumers must demand better online security practices from any company or agency that wants to store their personal data. Companies and government agencies do not like to spend the money necessary to protect customer data, and the customers pay the price.

Possessing your name, address, Social Security number, credit card number, and commonly used password — or just a few of these pieces of information — a cybercrook can steal far more from you than a burglar could get by breaking into your house. Your personal information is valuable and vulnerable. With profound apologies to Shakespeare, let’s paraphrase Iago in Othello:

Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my personal data
Robs me of that which enriches him,
And makes me poor indeed.

Too many online sites secure your personal data like this . . .

. . . instead of this:

PALO ALTO, Calif. — The Hewlett-Packard Company disclosed today that it may be too stupid to survive. In announcing its fourth quarter and full year results for 2012, the hardware company said it would write off $8.8 billion of the $10.5 billion it spent to acquire a software company just last year.

Beginning in 2001, under then-chief executive Carleton S. Fiorina, HP has spent $66.25 billion on acquisitions – and that’s just counting the deals valued at $1 billion more.

HP’s total market capitalization today: $23 billion. By any measure, that’s a stunning destruction of shareholder value.

HP said the $8.8 billion write-down today followed its discovery that the software company it bought just last year was worth only a fraction as much as HP thought it was. (HP accused the company, Autonomy, of a multibillion-dollar accounting fraud. Autonomy’s former chief executive, Mike Lyons denied HP’s allegations.)

If HP’s assertions about Autonomy are true, the question is: How did an $8.8 billion accounting fraud get past HP’s accountants and lawyers? How did it get past the HP board of directors?

And as long as I’m asking questions, here’s another: What the heck is Autonomy, anyway? Here’s what it says on the company web site:

Autonomy, an HP company, is a market-leading software company that helps organizations all over the world understand the meaning in information. A pioneer in its industry, Autonomy’s unique meaning-based technology is able to make sense of and process unstructured, ‘human information,’ and draw real business value from that meaning.

Too bad HP was not able to use that software to draw real value from its string of disastrous acquisitions.

Someone snuck into the South Carolina Department of Revenue database in August and made off with the names and Social Security numbers of 3.6 million South Carolinians. (To put it in perspective, the population of the entire state is 4.6 million.) Some 387,000 of those names and Social Security numbers were paired with credit card information.

All of the Social Security numbers and thousands of the credit card numbers were unencrypted.

Why would any government agency — or private company, for that matter – store such sensitive personal information in an unencrypted database?

While the breach occurred in August, it was not discovered until Oct. 10, and not made public until late last week. At a news conference this week, South Carolina Gov. Nikki Haley explained:

The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt, a lot of those agencies that you think might encrypt Social Security numbers actually don’t, because it is very complicated, it is cumbersome, and there’s a lot of numbers involved with it.

I have no idea who is in charge of data security for the state of South Carolina, but I cannot imagine him or her saying, “Governor, let’s not encrypt sensitive taxpayer information because, you know, it’s just too darned complicated and there are too many numbers involved with it.” More likely, the numbers were preceded with a dollar sign and the budget overseers said no.

Gov. Haley, whose autobiography is titled “Can’t Is Not an Option,” also insisted that stopping hackers is not an option.  ”If the CIA can be hacked into, anybody can be hacked into.”

“This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it,” Gov. Haley said. “This was a sophisticated hacker who creatively looked at the system. This was no simple breach.”

Really? The investigation is under way and the authorities have not yet disclosed the modi operandi of the hacker(s). But my bet is that the hacker simply pwned a state employee into giving up his or her legitimate user ID and password to the Department of Revenue database. We’ll see.

The bottom line is this: If you assume that your system is going to be hacked — probably a good assumption if there are human beings involved — and you have sensitive information to protect, then it is absolutely essential to use strong encryption. If the thief makes off with encrypted data, all he will get is gibberish.

UPDATE Nov. 16, 2012: From ThreatPost: “NASA has enacted new policies to protect employee and other sensitive information after a laptop was stolen from an employee’s locked vehicle, exposing records of personal information on a “large number” of NASA employees. The laptop was not protected by whole disk encryption, NASA officials said, putting an undisclosed number of employees at risk for identity theft and other abuses of personal data. . . . In March 2011, a laptop was stolen that contained algorithms used to control the International Space Station; one of 48 laptops stolen between 2009 and 2011. As of Feb. 1, one percent of NASA laptops were encrypted.”

While observing and participating in many early online discussions, my friend Mike Godwin in 1990 created “Godwin’s Law,” which states:

As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1.

The concept of Reductio Ad Hitlerum applies to offline discussions as well. This political season, both major parties and their affiliated PACs (political attack committees) have been accused of “The Big Lie,” a principle first described by, yes, Adolph Hitler. In Mein Kampf, Hitler wrote that:

. . .  in the big lie there is always a certain force of credibility; because the broad masses of a nation are always more easily corrupted in the deeper strata of their emotional nature than consciously or voluntarily; and thus in the primitive simplicity of their minds they more readily fall victims to the big lie than the small lie, since they themselves often tell small lies in little matters but would be ashamed to resort to large-scale falsehoods. It would never come into their heads to fabricate colossal untruths, and they would not believe that others could have the impudence to distort the truth so infamously. Even though the facts which prove this to be so may be brought clearly to their minds, they will still doubt and waver and will continue to think that there may be some other explanation. For the grossly impudent lie always leaves traces behind it, even after it has been nailed down, a fact which is known to all expert liars in this world and to all who conspire together in the art of lying.

(Hitler was employing the logic of Reductio Ad Judaeus; in any prolonged discussion by anti-Semites, the probability of blaming everything on the Jews approaches 1.)

Hitler’s propagandist Hermann Goebbels, perhaps believing that Winston Churchill was Jewish, applied the Big Lie to the British:

The essential English leadership secret does not depend on particular intelligence. Rather, it depends on a remarkably stupid thick-headedness. The English follow the principle that when one lies, one should lie big, and stick to it. They keep up their lies, even at the risk of looking ridiculous.

Some say this quadrennial presidential campaign is disappointing, focusing too much on negative personal attacks rather than serious discussions about important issues.

George Friedman, a political scientist and chief executive of the open-source intelligence agency Stratfor, puts things in historical perspective:

Thomas Jefferson’s campaign said of John Adams that he had a “hideous hermaphroditical character, which has neither the force and firmness of a man, nor the gentleness and sensibility of a woman.” Adams’ campaign stated that Jefferson was “a mean-spirited, low-lived fellow, the son of a half-breed Indian squaw sired by a Virginia mulatto father.” And Jefferson and Adams were friends.

 

Every email you send and receive. Every phone call. Every text message. Every search query you make online. Facebook. Twitter. Your entire Web browsing history.

The British government has formally proposed a nationwide surveillance law that would allow the law enforcement officials to monitor and keep records on every citizen’s daily use of digital communications.

Oops, strike that. It’s not just digital. The draft legislation would also allow government officials to log the addresses of every piece of physical mail you send or receive. (Apparently the British government believes the handful of senior citizens who still send and receive snail mail are worthy of surveillance.)

I’m not making this up. Here’s the story, courtesy The Associated Press. A quote:

Home Office Secretary Theresa May said in an editorial published ahead of the bill’s unveiling that only evil-doers should be frightened.

“Our proposals are sensible and limited,” she wrote in The Sun, the country’s top-selling daily. “They will give the police and some other agencies access to data about online communications to tackle crime, exactly as they do now with mobile phone calls and texts. Unless you are a criminal, then you’ve nothing to worry about from this new law.”

The proposals are not sensible and limited. The proposed law treats every citizen as a potential criminal.

Home Secretary May told The Sun:

“I just don’t understand why some people might criticise these proposals. I have no doubt conspiracy theorists will come up with some ridiculous claims about how these measures are an infringement of freedom. But without changing the law, the only freedom we would protect is that of criminals, terrorists and paedophiles…”

I am gobsmacked that the birthplace of the Magna Carta would seriously propose this, on top of the nearly ubiquitous video surveillance cameras that bristle along England’s streets and public places.

The really scary thing: It could pass. And worse, it will probably inspire some idiot lawmaker in the former colonies to propose warrantless wiretaps and online monitoring.

Oh, wait, it already has.

UPDATE: July 2012 — Federal, state, and local law enforcement made 1.3 million requests for cell phone records to wireless carriers in 2011, according to figures provided to Congressman Edward J. Markey of Massachusetts by nine wireless carriers in the United States. (This number does not include T-Mobile, the nation’s fourth-largest carrier, because the company did not provide the requested information.)

Information shared with law enforcement includes such data as geolocation information — your mobile phone is a tracking device — and the content of text messages. Requests also include “cell tower dumps” in which carriers provide all the phones numbers of cell users who connect with a tower during a certain period of time. Is your phone usage included in the cell tower dumps? You bet. Have you done anything wrong? Probably not.  Did the searches require a court-approved warrant? Nope. But now the government has the data on your movements. Does it store that information? The government isn’t saying.