Scammers' Eyes are Smilin'  

New phone, computer and email scams are popping up every day - heck, several times a day. Below are some of the more daring nets perpetrators are casting out there in the hopes of catching a few unsuspecting individuals.

Phone    

In the Midwest (and probably beyond), crooks are calling people (often the elderly and those who have English as a second language) and small- to medium-sized businesses and demanding utility payment for unpaid bills. They then ask for the person's credit or prepaid card number. You can see many instances of this online.  

In an increasingly frequent calling scam, bad guys pretend to be from Microsoft. They claim to be calling to help victims remove malware from their computers. They convince the person to navigate to a website, which actually loads (not removes!) real malware. Victims have also had their files and personal information stolen by these scammers. I wrote about my own experience with this in 2011. 

Computer

Nearly all Linksys routers of the E product variety are at risk, according to Ars Technica. A worm infects Linksys routers with self-replicating malware, which is a virus that spreads by scanning the Internet for other vulnerable devices. Nicknamed "The Moon," the malware can only work if router owners have enabled the Remote Management Access feature. If you own one of these older model routers, check to be sure you have disabled this feature, as advised by my Facebook friend Joseph Shook.

Email    

Spam emails that claim to be from state judicial branches or court officials are convincing recipients around the country to click on malicious hyperlinks. The emails state that a complaint was received, court ordered restitution is due or a trial date is set. Some even ask for money, Social Security Numbers or direct the recipient to download a document. If you receive something similar, do not open, reply or click on any links. Call a court official (at a phone number you locate on your own) to investigate if you have any reason to believe it could be legitimate.

Truly a new low in phishing scams are emails from crime rings posing as funeral homes. The emails carry the subject line "Funeral notification" and invites victims to click on links for more information about the upcoming "celebration of your friend's life service." Of course those links don't lead to a real obituary or announcement; they send the recipient to a domain, typically outside the U.S., where the scammers download malware to the victim's computer. Below is an image of the one I received earlier this month:

Loss of data to a thief is one thing; loss of it from your own negligence is quite another. We are all so dependent on technology for the safekeeping of our photos, videos, communication and files, that we sometimes forget it's an imperfect system.

In addition to death and taxes, there is one other certainty in life: Hard-drive failure. I should know; it just happened to me.

For as long as I can remember, I've performed both system and file backups every week consistently. What I didn't realize was that the hard drive on which I was making those backups was about to crash. The result? I lost months' worth of files and emails, all in a flash. The backups I had made while the hard drive had already started to fail, unbeknownst to me, were not usable.

To keep this from happening to you, realize that making backups to a hard drive simply isn't enough. First, test those backups at least monthly to be sure they have actually been made and that the files are healthy, not corrupted by a broken piece of hardware that you may not yet know about. Second, back up your most important files to a system independent of your computer. This could be an external hard drive, a series of thumb drives that you then store in a safe-deposit box or a secure cloud provider, such as CrashPlan or Backblaze.

One word of caution about cloud-based services, however. Check to be sure the provider uses strong encryption and take a read through their privacy policy just to be sure your information stays behind closed doors. Also keep in mind that any time you put your files in the hands of a provider, they may be vulnerable to hackers and/or subject to review by government or law enforcement agencies.  

Doonagore castle near Doolin, Co. Clare, Ireland

 

 

Smart Appliances Get Up to Mischief

Thanks to rapid innovation, our lives are getting easier. But there is a price to be paid. The Internet of Things is creeping into the average lives of consumers in unexpected ways, creating new vulnerabilities even in what was once the safety of our own homes.  

Each of the below developments has been built to automatically collect data about users and send that data to others. The developers insist this data is being used to enhance the consumer experience in some way; but what they don't often reveal is all the ways that data is being used to help them make money or achieve some other objective.  

Take a look at these examples and think twice before you volunteer your personal information by purchasing one of these "smart" products.

• LG markets a fridge that sends a text when the milk runs out, and this article says experts have long warned such a gadget is an attractive "soft target" for hackers. In fact, in one recent attack on 100,000 smart gadgets, 750,000 spam emails were sent to their owners.      
• Google's smart contact lenses check in and report on your health, monitoring things like gluclose levels in your tears. One commenter's question was intended to be sarcastic, but in every joke there is a grain of truth. He asked: Will it send the wearer's glucose levels directly to the NSA or does that only happen after the contact lens syncs with Google's cloud? The fact is, if the lenses can report glucose levels, it is also technically possible to program them to report on many other types of activities, as well as more of your body contents and characteristics.      
• Wearables devices monitor physical activity and connect wirelessly to online services charged with collecting data on the wearer. If insurance companies were able to collect and use this data for their underwriting purposes (which now let employers charge employees different health insurance rates based on whether they exercise, eat right or make healthy choices), these devices could spell disaster for insurance costs... not to mention the potential impacts if employers, potential employers, family members, etc. obtain the data.      
• Video baby monitors send signals far and wide. To test the vulnerability of these smart gadgets, a Miami TV reporter attached one of these baby-monitor receivers to the dashboard of his car. In just a few minutes, he was able to pick up images of babies and bedrooms. Traditional audio montiors are vulnerable, as well. During the summer of 2013, ABC News reported on a Houston couple who heard cursing and lewd remarks coming from their 2-year-old's baby monitor. It had been hacked.     
• A clip-on camera takes a still image every 30 seconds in an effort to "record your life." How often have you come across a photo of yourself that if taken out of context could cause others to jump to the wrong conclusion (college days, anyone)? Worse, what happens when someone with a clip-on camera enters a public restroom or locker room and takes pictures of people (or children) in various stages of undress?

Privacy Professor on the Road

I love traveling the country to raise awareness of data security and privacy. If you ever have need for a speaker, presenter or workshop host, please get in touch. In the meantime, take a look at the schedule below, and if you'll be in the neighborhood during these events, I hope you'll attend. 

March 4: Giving presentations for the Minnesota State Bar Association "Cybersecurity and Data Privacy in Energy Law" seminar

April 9 & 10: Teaching IAPP CIPP Foundations and CIPM classes in Minneapolis

April 30: Conducting a workshop for the ISACA North America CACS conference in Las Vegas

May 1: Presenting a session about privacy auditing and metrics at the ISACA North America CACS conference in Las Vegas

May 12: Conducting a workshop for Medical Device Security and Privacy at the 10X Medical Device Conference in Minneapolis

May 19: Presenting a HIPAA session at the Long Term Care Solutions Summit

June 16: Providing the keynote about privacy and the Internet of Things at the International Information and Computer Security Conference in Bogot�, Colombia 

You Have My Permission to Share

I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along.