The development of the internet as an international medium for mass communication has enabled forces for good that were unimaginable before, and has also given previously unimaginable tools to criminals.
Attackers use rifles to attack major targets, but what doesn’t get much publicity is they also use shotguns against smaller targets. A big haul like Equifax or Colonial Pipeline is great, but so is a large number of small hauls. You don’t hear much about those attacks, but they’re common and can be a lot more painful to recover from than Equifax getting an insignificant slap on the wrist and its CEO being allowed to “retire” with a measly $90 million gift his first year out the door and eight-figure annual ongoing benefits for his approval of the inexcusable negligence that enabled that attack. The rest of us? 60% of attacked small businesses are gone within six months.
You can protect yourself from most attacks by simply being conscientious with passwords, email, and web sites.
Start with passwords. If I know or can guess your password, I can do anything you can do with it.
- If your password is 123456, password, or qwerty, so are millions more. And p@ssw0rd isn’t much better. The easiest way to break into a system is for a “bot” (short for robot) to try 100 or 1000 of the most commonly used passwords and either score or move on. Google “common passwords” to see some of them. The chance of getting hacked that way is greater than you might think.
- Do not use your personal or business partner’s name, kid’s name, parent’s name, pet’s name, your favorite team or show, a sport or musical instrument you play, a social media nickname, or anything else that’s well-known about you. That could be guessable by more people than you might think, including some with less than honorable intentions.
- A good password is one you can remember but others can't guess and is not a word in a proper language or slang dictionary. Maybe an old school friend's initials and house or phone number? Maybe the first letters of the words of a line in the middle of an obscure song or show you like? A phrase of unrelated words is long to type but easy to remember and hard to guess. Have fun thinking of something you can remember that only you know.
- It’s not too dangerous to use the same password on low value sites, but unique passwords are in order for high value sites. If someone gets your Facebook password, what happens if your bank account has the same password?
- Some sites require you to change your password more frequently than necessary. That's overkill in most cases, but you can't argue with them. What's critical is if one of your passwords gets compromised, immediately change it everywhere it's used.
A very common and very destructive attack today is “ransomware.” Criminals get you to click a link or open an attachment that downloads and runs a program that “encrypts” your files, making them unreadable. While they're at it, they might be harvesting valuable customer and personal information from your files for sale on "The Dark Web." If you send them the ransom they demand, they send you the “key” that will allow you to “decrypt” your files, making them once again readable, and destroy the data that they harvested. Or so you hope.
- Back in 2018, a spectacular attack on Equifax was only allowed thanks to to their negligence. A serious attack vulnerability in a third party software package that they were using was discovered and fixed in March. By May, Equifax certainly knew about it, but still couldn't be bothered to patch it. Criminals looking for delinquent high-value web sites found Equifax and got lucky, stealing sensitive personal data of 140+ million Americans who were not even their customers. The US Consumer Financial Protection Bureau let Equifax off easy, and the Department of Justice eventually indicted a few members of the Chinese military for that attack. Do you think the Chinese government responded?
- It keeps going. 2021 brought among many others the Colonial Pipeline attack. Originating in Houston and supplying 45% of all fuel consumed on the East Coast, that attack shut down operations for days and created a regional emergency declaration for 17 states and the District.
- You might not have heard about the December 11, 2021 attack on Kronos, the provider of workforce management services including payroll for governmental operations, hospitals, major corporations, hotels, and others, unless you didn't get a paycheck. Suddenly thousands of their clients were forced to do manual recording of timesheets and write paper paychecks. Two hospital employees received paychecks of 75 cents and 86 cents. One employee who usually works 60 hours has been getting paid for 40. And lots more. That will all be made up, but meanwhile, some can't pay their rent, some courts accept no excuses for late child support payments, etc. Kronos said service would be back up by the end of January. It wasn't.
- Countless individuals and businesses of all sizes continue to suffer such attacks. Some recover from appropriate backups, some pay the ransom, and some suffer serious consequences, including going out of business.
Most such attacks can be stopped before they begin by not clicking a link or opening an attachment. A naïve or careless user can allow it in, and occasionally a direct attack gets past a computer's firewall and anti-virus and takes off without needing cooperation from a user Some pay the ransom, some can recover lost files from backups, and some go out of business, even if files are recovered from backups,
Unsolicited email - “spam” and “phishing”
With unsolicited computer-to-computer attacks getting harder to pull off as software quality and defensive technologies improve, criminals' easiest entry is via unsolicited email called “spam” that takes advantage of naïve and careless users. Counterfeit spam that looks like something legitimate from someone you know or a company you do business with but is up to no good is called “phishing.”
Some is sent to sucker you into a scam, and some is sent to run attack software on your computer. It enables the modern day implementation of what's been going on ever since the serpent tricked Eve.
A few important facts about email:
- Underground services can send millions of spam emails for very low cost. Even if only 1/10 of 1% of the recipients fall for it, that's 1,000 suckers per million sent, a nice rate of return.
- It might not be from whom it says it's from. The actual sender can forge any name and address in the From line. Your sister? Maybe not. Your bank? Definitely not. The IRS? No way!
- What you see as a link on a web page or email might be a lie. You see
but it might actually go to in Russia or to some other criminal with a numeric IP address with no name in some other country with flexible law enforcement.
- Your bank or a merchant says your account has been locked, suspended, or disabled. Or there is suspicious activity on your account. Click the link and you’ll go to an impostor site that gets your username and password and then goes to the real web site while you don’t even know you’ve been had.
- Likewise, any email solicitation for personal information is most likely for criminals to rob you directly or to sell to other criminals. That's called identity theft. Whether they get it 140+ million at once like from Equifax or one at a time from phishing email, they can use it to steal.
- Spam detectors do a generally good job, but they sometimes get beat and they sometimes block good email. The latter is called "false positives."
The advice the old Chicago News Bureau gave to young reporters is in order when dealing with email: “If your mother tells you she loves you, check it out.” Just as you throw junk paper mail straight into the blue can, feel free to hit the Delete button as soon as you recognize junk email.
Other attacks on your computer
Ransomware is the current most destructive attack, but there are others. Once you click an evil link or open an evil attachment, it might run attack software that gets past your anti-virus. Once running, it can turn your computer into a “bot” (short for robot) sending out spam, or trying to break into accounts with commonly-used passwords, or posting fake news on social media, or many other kinds of aggression. Or it could go after you personally, watching everything you type to harvest accounts and passwords, or your customer or accounting data, or…
There are plenty of low-tech scams. Click here for bargain or performance-enhancing pharmaceuticals? Counterfeit packaging is easy to make. You have no idea what listed ingredients, impurities, and outright poisons are actually in them. Unsolicited stock tips are usually to get you to make a high risk or totally worthless investment. Your friend lost his wallet in some far-away country and needs you to wire him some money that he'll pay back as soon as he returns? You won Real Money in an overseas lottery that you never played? Nice Russian girls want to meet you? If you don't respond, they can't rob you.
Just say no
The best way to handle spam is simply to delete it. Don't bother putting the sender into a bad guy list. The name and address are probably generated at random and used only once each. Odds are good you'll never get another from that phony sender.
- If you get any email, suspicious or not, from any financial institution or retailor, do not click the link or open any attachment(s). If you think it might be legitimate, call them on the phone or open a new browser window and log in the way you normally do. Do not type a web address shown in the email if different from your usual, as it could be trouble.
- If you're not expecting a note with an attachment, or a note with an attachment is the least bit suspicious, call or text (don't email) the sender and ask if it's real. If you don't know the sender, don't open it.
- Spam often comes with an Unsubscribe link. Don't hit it! That will validate your email address, which will allow the spammer to sell it to other spammers at a premium price. Just delete the message.
- On the other hand, legitimate newsletters and business mailings have Unsubscribe links at the bottom. If you're not interested in a legitimate mailing, go ahead and hit Unsubscribe.
Evil and compromised web sites are also a common entry point for destructive software.
- Tacky web sites sometimes download attack software along with their main content. You’re safe on the major celebrity magazines’ web sites, but not on the individual sites of the scumbag paparazzi who stalk the pop tarts du jour. Stay off them, along with gambling, drugs, and obviously, naughty web sites and any involved in illegal activity.
- Legitimate web sites try to be safe; they don’t want to alienate their visitors. However, those that display ads, including Google, despite efforts to be safe, sometimes display ads called “malvertising” that go where you don’t want to go or load attack software onto your computer. Be careful of any ads.
- Sometimes legitimate web sites get compromised, where criminals manage to sneak their own stuff onto a good site. The owners usually find and remove such in short order, but once in a while criminals can get you from a legitimate site.
You’ve been attacked!
Despite (or maybe because of) how you operate, a piece of attack software could show up on your computer. Do not shut down from Windows or hit the power button. A proper Windows shutdown could allow a piece of attack software to install itself. Try to remember what you saw on the screen and immediately yank the power cord or remove the battery. Wait half a minute, plug it back in, and restart. If it seems to be clean, run a full anti-virus scan. If not, quickly yank the power cord or battery again and call a professional.