The development of the internet as an international medium for mass communication has enabled forces for good that were unimaginable before, and has also given previously unimaginable tools to criminals.
Attackers use rifles to attack major targets, but what doesn’t get much publicity is they also use shotguns against smaller targets. A big haul like Equifax or Marriott is great, but so is a large number of small hauls. You don’t hear much about those attacks, but they’re common and can be a lot more painful to recover from than Equifax getting an insignificant slap on the wrist and its CEO being allowed to “retire” with a measly $90 million gift his first year out the door and eight-figure annual ongoing benefits for his approval of the inexcusable negligence that enabled that attack. The rest of us? 60% of attacked small businesses are gone within six months.
You can protect yourself from most attacks by simply being conscientious with passwords, email, and web sites.
Start with passwords. If I know or can guess your password, I can do anything you can do with it.
- If your password is 123456, password, or qwerty, so are millions more. And p@ssw0rd isn’t much better. The easiest way to break into a system is for a “bot” (short for robot) to try 100 or 1000 of the most commonly used passwords and either score or move on. Google “common passwords” to see some of them. The chance of getting hacked that way is greater than you might think.
- Do not use your personal or business partner’s name, kid’s name, parent’s name, pet’s name, your favorite team or show, a sport or musical instrument you play, a social media nickname, or anything else that’s well-known about you. That could be guessable by more people than you might think, including some with less than honorable intentions.
- A good password is one you can remember but others can't guess and is not in a proper language or slang dictionary. Maybe an old school friend's initials and house or phone number? Maybe the first letters of the words of a line in the middle of an obscure song or show you like? Have fun thinking of something you can remember that only you know.
- It’s safe to use the same password on low value sites, but unique passwords are in order for high value sites. If someone gets your Facebook password, what happens if your bank account has the same password? If you can't remember a few hard-to-guess passwords, try a password manager. See PC Magazine's review of their favorites.
- Some sites require you to change your password more frequently than necessary. That's overkill in most cases, but you can't argue with them. What's critical is if one of your passwords gets compromised, immediately change it everywhere it's used.
Unsolicited email - “spam” and “phishing”
With unsolicited computer-to-computer attacks getting harder to pull off as software quality and defensive technologies improve, criminals' easiest entry is via unsolicited email called “spam” that takes advantage of naïve and careless users. Counterfeit spam that looks like something legitimate from someone you know or a company you do business with but is up to no good is called “phishing.”
Some is sent to sucker you into a scam, and some is sent to run attack software on your computer. It enables the modern day implementation of what's been going on ever since the serpent tricked Eve.
A few important facts about email:
- Underground services can send millions of spam emails for very low cost. Even if only 1/10 of 1% of the recipients fall for it, that's 1,000 suckers per million sent, a nice rate of return.
- It might not be from whom it says it's from. The actual sender can forge any name and address in the From line. Your sister? Maybe not. Your bank? Definitely not. The IRS? No way!
- What you see as a link on a web page or email might be a lie. You see
but it might actually go to in Russia or to some other criminal with a numeric IP address with no name in some other country with flexible law enforcement.
- Spam detectors do a generally good job, but they sometimes get beat and they sometimes block good email. The latter is called "false positives."
The advice the old Chicago News Bureau gave to young reporters is in order when dealing with email: “If your mother tells you she loves you, check it out.”
A very common and very destructive attack today is “ransomware.” Criminals get you to click a link or open an attachment that downloads and runs a program that “encrypts” your files, making them unreadable, and if you send them the ransom they demand, they send you the “key” that will allow you to “decrypt” your files, making them once again readable. Or so you hope.
- You might remember the May 2017 attack called “WannaCry” that took out 200,000+ computers in 150+ countries, most notably the UK’s National Health Service, forcing some hospitals to redirect incoming ambulances to other facilities. It also got many others around the world, including many in the US, and similar attacks are still going strong. That's ransomware.
- February 2016 a major Los Angeles hospital paid 40 Bitcoins, at the time worth approximately $17,000, to get their data back. It wasn't backed up to where it could be recovered from.
- It keeps coming. March 2018 the city of Atlanta got hit, leaving residents unable to pay water bills or parking tickets, police filling out reports on paper, and more for longer than a week. Fortunately, 911, fire, and the airport were not hit. The mayor admitted cybersecurity had not been a priority before the attack. Recovery cost more than $10 million.
- Countless individuals and businesses of all sizes continue to suffer such attacks. Some recover from appropriate backups, some pay the ransom, and some suffer serious consequences, including going out of business.
Most such attacks can be stopped before they begin by not clicking a link or opening an attachment. A naïve or careless user can allow it in, and occasionally a direct attack gets past a computer's firewall and anti-virus and takes off without needing cooperation from a user Some pay the ransom, some deal with lost files, some go out of business, and the well-prepared recover without serious inconvenience.
Phishing for your money
Beyond running ransomware and other attack software, phishing yields excellent results for many other scams.
- Your bank or a merchant says your account has been locked, suspended, or disabled. Or there is suspicious activity on your account. Click the link and you’ll go to an impostor site that gets your username and password and then goes to the real web site while you don’t even know you’ve been had.
- Likewise, any email solicitation for personal information is most likely for criminals to rob you directly or to sell to other criminals. That's called identity theft. Whether they get it 143 million at once like from Equifax or one at a time from phishing email, they can use it to steal.
Those and countless others might be ordinary come-ons hoping to get unearned money out of you, or they might be invitations to get you to allow them to attack your computer, your bank account, or other valuable resources. Just as you throw junk paper mail straight into the blue can, feel free to hit the Delete button as soon as you recognize junk email.
Other attacks on your computer
Ransomware is the current most destructive attack, but there are others. Once you click an evil link or open an evil attachment, it might run attack software that gets past your anti-virus. Once running, it can turn your computer into a “bot” (short for robot) sending out spam, or trying to break into accounts with commonly-used passwords, or posting fake news on social media, or many other kinds of aggression. Or it could go after you personally, watching everything you type to harvest accounts and passwords, or your customer or accounting data, or…
There are plenty of low-tech scams. Click here for bargain or performance-enhancing pharmaceuticals? Counterfeit packaging is easy to make. You have no idea what listed ingredients, impurities, and outright poisons are actually in them. Unsolicited stock tips are usually to get you to make a high risk or totally worthless investment. Your friend lost his wallet in some far-away country and needs you to wire him some money that he'll pay back as soon as he returns? You won Real Money in an overseas lottery that you never played? Nice Russian girls want to meet you? If you don't respond, they can't rob you.
Just say no
The best way to handle spam is simply to delete it. Don't bother putting the sender into a bad guy list. The name and address are probably generated at random and used only once each. Odds are good you'll never get another from that phony sender.
- If you get any email, suspicious or not, from any financial institution or retailor, do not click the link or open any attachment(s). If you think it might be legitimate, call them on the phone or open a new browser window and log in the way you normally do. Do not type a web address shown in the email if different from your usual, as it could be trouble.
- If you're not expecting a note with an attachment, or a note with an attachment is the least bit suspicious, call or text (don't email) the sender and ask if it's real. If you don't know the sender, don't open it.
- Spam often comes with an Unsubscribe link. Don't hit it! That will validate your email address, which will allow the spammer to sell it to other spammers at a premium price. Just delete the message.
- On the other hand, legitimate newsletters and business mailings have Unsubscribe links at the bottom. If you're not interested in a legitimate mailing, go ahead and hit Unsubscribe.
Evil and compromised web sites are also a common entry point for destructive software.
- Tacky web sites sometimes download attack software along with their main content. You’re safe on the major celebrity magazines’ web sites, but not on the individual sites of the scumbag paparazzi who stalk the pop tarts du jour. Stay off them, along with gambling, drugs, and obviously, naughty web sites and any involved in illegal activity.
- Legitimate web sites try to be safe; they don’t want to alienate their visitors. However, those that display ads, including Google, despite efforts to be safe, sometimes display ads called “malvertising” that go where you don’t want to go or load attack software onto your computer. Be careful of any ads.
- Sometimes legitimate web sites get compromised, where criminals manage to sneak their own stuff onto a good site. The owners usually find and remove such in short order, but once in a while criminals can get you from a legitimate site.
You’ve been attacked!
Despite (or maybe because of) how you operate, a piece of attack software could show up on your computer. Do not shut down from Windows or hit the power button. A proper Windows shutdown could allow a piece of attack software to install itself. Try to remember what you saw on the screen and immediately yank the power cord or remove the battery. Wait half a minute, plug it back in, and restart. If it seems to be clean, run a full anti-virus scan. If not, quickly yank the power cord or battery again and call a professional.