Background explanation of phishing and spear phishing

The following discussion about "spear-phishing attacks was copied from a Microsoft blog.  I think it is informative and, since I have seen a number of these when helping people with computers, I think it is important for you to read, even if you are retired.  It will explain how a lot of the phishing emails you get are created so they look like the email is from someone you know and the content of the note has personal or professional information in it.  The article explains the full business model for those who are creating the phishing emails.   How to protect.  Unfortunately, though most full function security suites do have elements that try to protect you from phishing, both via email and through a direct pirating of a web site you are on or a link you click on a valid website, you are still THE DEFENSE against phishing.  Learn the signs of a phishing attack.  Learn how to "get out fast" and "clean up the mess" if you succumb.

Spear phishing campaigns—they’re sharper than you think

microsoft.com/security/blog/2019/12/02/spear-phishing-campaigns-sharper-than-you-think

December 2, 2019

Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns. Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

Even though spear phishing campaigns can be highly effective, they aren’t foolproof. If you understand how they work, you can put measures in place to reduce their power. Today, we provide an overview of how these campaigns work and steps you can take to better protect your organization and users.

Figure 1. Percentage of inbound emails associated with phishing on average increased in the past year, according to Microsoft security research (source: Microsoft Security Intelligence Report).

Step 1: Select the victims

To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates. The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher.

How did it happen?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:

• Review corporate websites to gain insight into processes, departments, and locations.
• Use scripts to harvest email addresses.
• Follow company social media accounts to understand company roles and the relationships between different people and departments.

In our example, the attackers learned by browsing the website that the convention for emails is first.last@company.com. They browsed the website, social media, and other digital sources for human resources professionals and potential hooks. It didn’t take long to notice several job openings. Once the recruiter shared details of jobs online, would-be attackers had everything they needed.

Why it might work: In this instance it would be logical for the victim to open the attachment. One of their job responsibilities is to collect resumes from people they don’t know.

Figure 2. Research and the attack are the first steps in a longer strategy to exfiltrate sensitive data.

Step 2: Identify the credible source

Now let’s consider a new executive who receives an email late at night from their boss, the CEO. The CEO is on a trip to China meeting with a vendor, and in the email, the CEO references the city they’re in and requests that the executive immediately wire $10,000 to pay the vendor. The executive wants to impress the new boss, so they jump on the request right away.

How did it happen?

In spear phishing schemes, the attacker needs to identify a credible source whose emails the victim will open and act on. This could be someone who appears to be internal to the company, a friend, or someone from a partner organization. Research into the victim’s relationships informs this selection. In the first example, we imagined a would-be job seeker that the victim doesn’t know. However, in many spear phishing campaigns, such as with our executive, the credible source is someone the victim knows.

To execute the spear phishing campaign against the executive, the attackers uncovered the following information:

• Identified senior leaders at the company who have authority to sign off on large sums of money.
• Selected the CEO as the credible source who is most likely to ask for the money.
• Discovered details about the CEO’s upcoming trip based on social media posts.

Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

Figure 3. The more targeted the campaign, the bigger the potential payoff.

Step 3: Victim acts on the request

The final step in the process is for the victim to act on the request. In our first example, the human resources recruiter could have initiated a payload that would take over his computer or provide a tunnel for the attacker to access information. In our second scenario, the victim could have wired large sums of money to a fraudulent actor. If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:

• The machine could be infected with malware.
• Confidential information could be shared with an adversary.
• A fraudulent payment could be made to an adversary.

Catch more phishy emails

Attackers have improved their phishing campaigns to better target your users, but there are steps you can take to reduce the odds that employees will respond to the call to action. We recommend that you do the following:

• Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
  • An incorrect email address or one that resembles what you expect but is slightly off.
  • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
  • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
  • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?

• Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.

• Secure your identities—A spear phishing campaign is often the first step that an attacker takes to gain more privileged access to company resources. If they succeed in duping a victim, you can reduce the damage with modern authentication techniques. For example multi-factor authentication (MFA) can block over 99.9 percent of account compromise attacks.

• Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 (see Figure 4 above) and improving catch rates of phishing emails.

Battery Life? What does this mean and what can I do about it?

The term "battery life" has two different meanings, and control of "battery life" has two different outcomes depending on the meaning.  To the point, the two meaning of battery life are:

1. How long does a battery charge last when not being charged (device not plugged in)?
2. How long does a battery last before it has to be replaced because it no longer holds charge for a reasonable amount of time when the device is not plugged in?

The conflict is:  if you optimize for battery charge life your battery will probably not last as long before you have to buy a new one.  Conversely, if you optimize for length of time before you have to replace the battery, the battery won't last as long between charges.  To distinguish between the two kinds of battery life, I'll call the second kind "battery health."

Why the conflict:  In short, because if you want the battery to last longer before you need a new one, you shouldn't charge the battery to 100%. 

I'll provide some details about the operating system controls for Windows here.  You can do a search for the terms "Extending battery life" and the name of your device or operating system to learn what controls are available for your device to gain some control over how long your battery will last between charges. 

Extending battery life between charges

With that out of the way, there are ways to make a battery last longer between charges.  The controls you have available are pretty much functionally the same between different kinds of devices, but the user interfaces and the number of controls you have available vary by device, by the operating system, and by any extra application you might install to control this kind of battery life.

Windows:  This article explains the operating system controls available:  https://support.microsoft.com/en-us/help/20443/windows-10-battery-saving-tips

Android:  Read this article:  https://www.androidauthority.com/android-battery-saver-tips-tricks-189882/.

Extending battery health

Windows:  There is one control in Windows whose purpose is to maximize battery health:  "Battery Life Extender."  It controls whether or not the battery will be charged to 80% or 100%.  Battery designers say that charging to 80% will extend the life of your lithium battery.  For details on the Windows control see:  https://answers.microsoft.com/en-us/windows/forum/all/why-does-my-laptop-only-charge-up-to-80-and-not/916ea22c-9e36-4b69-a5ef-f91495de4fda.  If you use your laptop mostly plugged in and don't use it on battery for more than 4-5 hours at a time, then you can set this control to 80%.  If you are traveling and you can't be sure how long you will be able to go until the next charge, then set Battery Life Extender to 100%.

Android:  Rather than getting into the details of the operating system controls for battery health, download the app AccuBattery.  It has more tools than you could ever want to monitor the health of your battery.  I haven't found a way to automatically control the maximum charge on a locked Android phone, which is what most people have.  Manually, you can watch the charge and not charge to 100% and occasionally discharge to depletion. 

PS:  If you wish to add the Apple appropriate information, please feel free to use the comment feature of this blog.  

Equifax breach settlement- is it worth it to participate in the settlement?

If you were impacted by the Equifax databreach, which occurred in 2017, you lost much of your identity information.

(This and other breaches means your on line presence and info such as your SSN is probably somewhere in the process of moving to the dark web to be sold.  Or it will be weaponized by rogue countries or instruments of rogue countries whenever that country wishes.  So, in a way, trying to protect your SSN, for example, by not giving it to a bank or insurance company to receive a claim, is close to pointless.)

A settlement has been reached with the courts regarding this breach and, for most of us, the settlement will mean at least $125 for you if you file a claim.  What you give up by accepting a settlement is the ability to sue if you can show that a loss of identity was caused by the Equifax breach.   Proving this is going to be tough to do.  Plus, most of us, because of other breaches, are already covered by identity protection and identity theft detection by other settlements.  For example, most everyone is South Carolina is covered for a number of years due to a breach of the government databases.  For more information and forms, read this:

• read this:   https://www.cnet.com/how-to/equifax-data-breach-how-to-claim-125-right-now-in-the-ftc-settlement/
• or go directly here:  https://secure.equifaxbreachsettlement.com/en/claim

Update, 8/1:  This notice was put out today.  It says that there was very little money, compared to what was advertised, set aside for payment of claims. If more people apply for a claim, the amount per claim will be less.  (What a ripoff!)

But there’s a downside to this unexpected number of claims. First, though, the good: all 147 million people can ask for and get free credit monitoring. There’s also the option for people who certify that they already have credit monitoring to claim up to $125 instead. But the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.

Google+ Letter- what to do.

I've had questions about the following letter some have received from Google.  Go below the letter for my responses.

You've received this email because you have a consumer (personal) Google+ account or you manage a Google+ page.

In December 2018, we announced

 our decision to shut down Google+ for consumers in April 2019 due to low usage and challenges involved in maintaining a successful product that meets consumers' expectations. We want to thank you for being part of Google+ and provide next steps, including how to download your photos and other content.

On April 2nd, your Google+ account and any Google+ pages you created will be shut down and we will begin deleting content from consumer Google+ accounts. Photos and videos from Google+ in your Album Archive and your Google+ pages will also be deleted. You can download and save your content, just make sure to do so before April. Note that photos and videos backed up in Google Photos will not be deleted.

The process of deleting content from consumer Google+ accounts, Google+ Pages, and Album Archive will take a few months, and content may remain through this time. For example, users may still see parts of their Google+ account via activity log and some consumer Google+ content may remain visible to G Suite users until consumer Google+ is deleted.

As early as February 4th, you will no longer be able to create new Google+ profiles, pages, communities or events.

See the full FAQ for more details and updates leading up to the shutdown.

If you're a Google+ Community owner or moderator, you may download and save your data for your Google+ Community. Starting early March 2019, additional data will be available for download, including author, body, and photos for every community post in a public community. Learn more

If you sign in to sites and apps using the Google+ Sign-in button, these buttons will stop working in the coming weeks but in some cases may be replaced by a Google Sign-in button. You'll still be able to sign in with your Google Account wherever you see Google Sign-in buttons. Learn more

If you've used Google+ for comments on your own or other sites, this feature will be removed from Blogger by February 4th and other sites by March 7th. All your Google+ comments on all sites will be deleted starting April 2, 2019. Learn more

If you're a G Suite customer, Google+ for your G Suite account should remain active. Contact your G Suite administratorfor more details. You can also expect a new look and new features soon. Learn more

If you're a developer using Google+ APIs or Google+ Sign-in, click here to see how this will impact you.

From all of us on the Google+ team, thank you for making Google+ such a special place. We are grateful for the talented group of artists, community builders, and thought leaders who made Google+ their home. It would not have been the same without your passion and dedication.

Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043

You have received this mandatory email service announcement to update you about important changes to your Google+ Page, product or account.

So Google+ is a feature that was kind of Google's competitor to Facebook.   Google is deleting this feature set because there are too many problems with the code and security.  

if you got the letter, you do have some information in Google+, even though you might not know anything about Google+.   To see what you have, click on the "download and save link" in the letter and the resulting page will give you the option to see what you have in Google+.  If any of it is of interest to you, then you can download the information.   Then delete your Google+ profile using another link on that page.  Note that Google Photos, which many of us use, is not impacted.  

Web site to check if your email address or password has been hacked

The site is https://haveibeenpwned.com/.  There is a tab at the top of the page "Password" to check a password.  In general, if your email has been hacked, then change your password to something long and strong.  You're going to have to go to a password manager to be secure on the internet- you can't manage all your web sites on a sheet of paper.  Read this for background:  https://askleo.com/what-should-i-do-about-the-latest-breach/

Wireless Mice and Keyboards from Logitech- How to make them work with the receiver dongle

The general rule technical people learn is that a wireless mouse or keyboard or combination that communicates with that little device you plug into the a USB port of your computing device- the receiver- will only work between one unique wireless device and its receiver.  This means that if you lose the little receiver, you might as well throw away the mouse or keyboard; they won't work with another receiver. 

This is not true for logitech devices where the device and the receiver have a small orange asterisk-like symbol on them.  Any input device can communicate to any such receiver.  In fact, several input devices can simultaneously use the same receiver.  Logitech calls this "Unifying" and devices that can do this are called Unifying devices. 

This might seem like an irrelevant issue to most of you, but I my experience is that it is a common problem. 

Logitech has a small application you have to use to connect any the two devices.  It is called Logitech Unifying Multi-Connect Utility.  Find it here:  https://support.logitech.com/en_us/product/unifying/downloads.  This link is for the Windows and Apple versions.  If you have a Unix-based device, then read this article:  https://askubuntu.com/questions/113984/is-logitechs-unifying-receiver-supporteds

I've ripped off some instructions on how to use the app: 

One leave-in wireless receiver connects multiple compatible devices to a notebook computer. The tiny receiver stays in a notebook USB port and pairs with wireless peripherals at the office, at home, and in a laptop bag. Connect to up to six (6) compatible devices without fumbling with cords or multiple receivers. For more information, please visit https://www.logitech.com/unifying. For identification of Unifying products, please look for the Unifying icon on mice or keyboards and wireless receivers. Logitech Unifying Multi-Connect Utility It’s simple and fast to set up devices for the whole office using the Logitech Unifying Multi-Connect Utility designed specifically for the IT professional. Please speak with your reseller to get a copy of the Utility. Setup instructions of Logitech Unifying Multi-Connect Utility: 

Step 1 Launch the Logitech Unifying Multi-Connect Utility. 
Step 2 Plug in one Unifying receiver; remove any extra receiver from the USB port. 
Step 3 Click "Configure" to select the number of devices you would like to pair with the Unifying receiver. You can select any combination, up to a total of six (6) devices. 
Step 4 Follow the on-screen instructions. 
Step 5 When finished, click "Exit" when pairing all the devices to the receiver is done. If you would like to pair other Unifying devices to a different receiver, do not exit. Remove the first paired wireless receiver and plug in the next Unifying receiver. Repeat from Step 3. 

Trouble Shooting: Clear receiver. Start over from Step 3. 

SC Drivers License goes to Federal ID called Real ID

By Oct of next year (2020) all those who travel or have to relate to federal government entities in person with the requirement to show your ID will need a special new driver's license called Real ID... The DMV calls it the Federal ID when they talk about it.  This means, even if you don't have to renew your license for a while, you should go to the nearest dmv and renew your license, "upgrading" it to Real ID.  This isn't necessary if you don't travel, etc, but most everybody I know will need to do it.  Better now than when the rush comes later this year.  I will be traveling later, and my license will expire just about when I get back, so I got mine.  It took 20 minutes total and $25 with cash or check.  The details are at http://www.scdmvonline.com/Driver-Services/Drivers-License/REAL-ID

Documenting Poor Quality and Service by Apple

It's a stay-at-home day today, so I thought I would look into improving the performance and generally upgrading some old iPads and iMacs I have been given for the rummage sale this spring.  Hmmm... can't do.  Even though I was able to bring the samples I had up to new factory condition and then run them through upgrades, they still wouldn't upgrade past a certain point.  I know all you Apple fans out there know that this happens... if you have an Apple device that is something like 6 years old it will become a brick because the operating system isn't supported.  Unlike all other computing device manufacturers, it is not possible to replace the Apple operating system with another operating system, some derivative of Linux, the same operating system core platform Apple uses, to extend the life of the device and improve performance. 

Over the years- and I mean couple of decades- I have serviced Apple products, I have received many of the company's devices that had unexplained glitches that made them unusable.  After they had been given up as dead by their owners I would do a postmortem on the machines.  Sometimes I was able to bring them back to life by replacing defective parts.  Other times, I knew what the defective parts were, but it was too difficult to replace the part- the devices were not designed to be repaired, though the original owner had paid those excessive prices for the device in the first place.

A flashback to my experience with computers- I was on the design chips for the CPUs that went into all computers and computing devices.  I was on the test teams that devised the tests for the wafers, chips, motherboards, and computers- for 25 years.  Before that starting 67 years ago, I have been designing, building, and programming computers- many from "scratch." b I was also involved in the transfer of the technologies to other countries, with the ultimate manufacturer being some sweatshop in China, with software developed in India.  I saw and could measure the quality going downhill.  After I retired and began servicing computers as a hobby, I experienced first-hand the quality issue of all computing devices.  But Apple is the worst case because it cost so much to begin with and left no "off ramp" to repair or reinvigorate.

Apple products are overpriced and of poor quality- the quality shortcomings seemingly by design.  If you've stuck with me this far, then watch the following Youtube video for proof of my claim:  https://www.youtube.com/watch?v=AUaJ8pDlxi8. (The video is in the list on the right side of this blog page.) The video is 24 minutes long, but it really makes the case I have been trying to make. If I had time, I would make a companion video with my own war stories.