ebook img

Personal Cybersecurity. How to avoid and recover from Cybercrime PDF

240 Pages·2017·3.07 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Personal Cybersecurity. How to avoid and recover from Cybercrime

PERSONAL CYBERSECURITY HOW TO AVOID AND RECOVER FROM CYBERCRIME Marvin Waschke Personal Cybersecurity: How to Avoid and Recover from Cybercrime Marvin Waschke Bellingham, Washington, USA ISBN-13 (pbk): 978-1-4842-2429-8 ISBN-13 (electronic): 978-1-4842-2430-4 DOI 10.1007/978-1-4842-2430-4 Library of Congress Control Number: 2017930630 Copyright © 2017 by Marvin Waschke This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dis- similar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Managing Director: Welmoed Spahr Editorial Director: Todd Green Acquisitions Editor: Robert Hutchinson Development Editor: Laura Berendson Coordinating Editor: Rita Fernando Copy Editor: Mary Behr Compositor: SPi Global Indexer: SPi Global Artist: SPi Global Cover Image Designed by Creativeart - Freepik.com Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail Contents About the Author ix Acknowledgments xi Introduction xiii Chapter 1: What’s Biting Us 1 Chapter 2: Why Is Computer Security So Weak? 29 Chapter 3: How Does Computer Security Work? 53 Chapter 4: Your Computer Is a Target 81 Chapter 5: Misuse of Computers 103 Chapter 6: Cloud Threats 125 Chapter 7: Why Doesn’t Somebody Stop It? 153 Chapter 8: What Has the Industry Done? 175 Chapter 9: Personal Defense 193 Chapter 10: Disaster Recovery 221 Index 231 Introduction I wrote this book to solve two very specific problems for my fellow IT pro- fessionals. We all get too many questions from individual computer users who are worried about the security of their personal computers, tablets, and phones. In the industry, the acronym RTFM is hurled at beginners for asking naïve questions. But that is not an appropriate answer to a user concerned about computer security. These folks ask good and important questions that deserve serious answers. A few years ago, after repeating the same answers many times, I started to look for the right book to recommend. There are many good books on computer security but most of them drift into security for system administrators; this confuses ordinary users and leaves them uncertain. And no one needs to be reminded that the details of computing change rapidly, but the basic principles stay the same. Users need knowledge that will give them a foundation to build on as the details of security issues change. Many books on personal computer security tend to be highly prescriptive with lots of screenshots and values to fill into specific fields. This is nice, but this aspect of computing changes rapidly and many of these books become confusing within months of publication because interfaces change. Users need simple explanations of what they are doing and why they are doing it, not outdated, detailed instructions. The rate of change has escalated as products adopt automated update practices. Products evolve much more rapidly than a few years past. To stay safe during rapid change, computer users must have a firm grasp of what they are protecting themselves against, how the protections work, and why they need to protect themselves. The book is divided into three sections. The first section explains how computing has developed, how cybercrime has become a serious problem, and the extent of its severity. The second section examines what government and industry have done to respond. The third section relies heavily on the previous two sections and focuses on what you can do to protect yourself and what to do when you become a victim. Throughout, I have tried to maintain focus on what is wrong, why it is wrong, and how the response works so that a user can apply the advice to any computer they work with. If I have succeeded in my goal, the users who read this book will be informed, not quite so nervous, and prepared to avoid or actively resist the security xiv Introduction issues that plague them. This book will not eliminate user questions to IT professionals, nor will it eliminate the need for operating system and product security documentation. In a world where substantial updates are automatically applied every month, a book like this would not be useful for long if it was only a snapshot of cybersecurity at one moment in time. Readers may be tempted to skip to the last two chapters. If you are under attack and feel the need to take immediate action, do skip ahead. But then go back and read the preceding chapters. You will find that the recommendations in the final chapters will make more sense, are easier to accept, and can be applied more effectively after you have the background the earlier chapters provide. C H A P T E R 1 What’s Biting Us Who and What Does Cybercrime Hurt? When I hear the news about the latest computer security breach, I am so dismayed that I want to turn off my smartphone, tablet, and laptop and qui- etly lock them in the bottom drawer of my desk. But I don’t. I have designed and written computer software for decades, and I will not accept that the work that I and many others have done over the years is being subverted by disgruntled misfits, criminals, and thugs. I take a deep breath and think through what has happened and why it took place. Turning off personal computers does not help much. Lapses in security in other people’s computing systems can hurt you as much as a weakness in your own system. Many of the systems over which we have no control are critical to our safety, financial well-being, and even our health. The dangers seem to have multiplied overnight. The devices that were once useful and entertaining seem to have spontaneously metamorphosed into menaces. Computing began in what seemed like a garden of Eden, far from crime and malice. Early computers were hidden in laboratories and their users were engineers and scientists. Computing as an instrument of crime was not in anyone’s mind. But this has changed. Instead of being protected behind locked doors, computers large and small are exposed in ways that could not have been imagined by their inventors. Nearly every computer is attached to networks that can be accessed from anywhere on the planet by almost any- one. Wireless networking further opens computers to both free and malicious access. In this open environment, the computing industry only noticed the © Marvin Waschke 2017 M. Waschke, Personal Cybersecurity, DOI 10.1007/978-1-4842-2430-4_1 2 Chapter 1 | What’s Biting Us opportunities for cybercrime in the last two decades of the millennium. Even then, most computer-related crime was embezzlement and inventory twid- dling that could have been done as easily with paper books as by computing. Computer and software manufacturers were not earnest about security until cybercrime grew into big business at the beginning of the millennium. Previously, engineers tended to think of security as an annoying hindrance to development that could be added in the last stages of a project. If a project got behind, security might be left for the next release. This attitude still sometimes exists, although engineering practices now acknowledge that security must be considered at every stage of product development, including decisions not to build projects that cannot be adequately secured. Services, such as online banking, which we can scarcely imagine living without, loom as threats in news reports almost every week, and yet we become more and more attached to our plastic. Androids and iPhones burrow deeper and deeper into our lives with texting, email, Facebook, Uber, and hordes of other apps that make busy lives easier. But each of these devices and apps present new vulner- abilities to criminal attack. The vulnerabilities grow with each new device and app. In their self-interest, computer users must understand the threats, correctly evaluate their potential, and take steps to avoid, block, or disarm attacks. Computer networks are a tough neighborhood. Doing business on the mean cyber streets is a difficult assignment in an environment that changes every day. This challenge is not that different from challenges we face in other areas. After all, life is a dangerous venture. Heart disease or cancer can strike anyone, but we can improve our odds with exercise and a healthy diet. Driving a car is dangerous, but we can drive carefully in cars equipped with seatbelts, air bags, and anti-lock brakes. There are no guarantees that we will avoid a heart attack or an automobile crash, but our chances significantly improve when we are reasonably cautious. Most people can live a long and satisfying life while following good safety practices. The same applies to the cyberworld. The cyberworld has no guarantees and there are many tradeoffs, but most people can use and enjoy their computers, tablets, and smartphones without becoming a victim of cybercrime. It’s like choosing to avoid sugary soda alto- gether but occasionally indulge in your favorite dessert. You must intelligently reduce the chances that a calamity will occur. Choosing a car or truck with anti-lock brakes will not guarantee that you will never skid on an icy road, but they will help control the skid and give you a better chance of steering out of a crash into the guardrail. Good cybersecurity practices will not guarantee that you will never be hacked, but they can turn away all but the most persistent hackers and limit the damage when an assailant smashes through your defenses. Individuals can take heart from the statistics. Despite increases in computer use, cybercrime complaints to the FBI’s Internet Crime Compliance Center have drifted downward from 303,809 complaints in 2010 to 269,422 in 2014, a more than ten percent decrease. The significance of this decrease is greater Personal Cybersecurity 3 than it may appear because the pool of computing devices has grown, with an increase in the number of smartphones and tablets to the existing pool of laptops and desktops. Keep in mind that cybercrime is likely underreported. Not every victim of massive credit card theft reports the crime to the FBI. Cyberwarfare and terrorism seldom have individual persons as victims, and their impact is not reflected in FBI statistics. These are some of the most heinous and far reaching crimes, and yet they may not be reflected in the statistics. Nevertheless, the crimes that are reported to the FBI are significant and they do show a decline, which seems the opposite of what we see on the news. The frequency of news stories on cybercrimes is different from the true frequency of cybercrimes. Cybercrime may simply have become more newsworthy. Later, as I probe into the industry’s efforts to deter or prevent computer crime, you may gain some insight into why the FBI numbers have gone down. The Internet Crime Compliance Center reports that the largest financial losses were from conventional confidence fraud over the Internet and the most frequent complaint was non-payment and non-delivery on Internet transactions. For these crimes, the Internet was a convenient vehicle, but they could have been committed over the telephone or through the paper mails. These reports suggest that good old-fashioned dishonesty and fraud continues to be profitable in the 21st century, but they are not examples that are ger- mane to the rise of crime enmeshed with computer and network technology. Cybercrime is not quite as threatening to individuals as it appears, but don’t underestimate it. For individuals, the biggest threats do not come from hackers breaking into their laptops and tablets. The greatest threats are through break- ins and other mayhem done to computer systems that most people have little or no contact with. When those types of crimes are counted, cybercrimes occur more frequently than anyone would like. Some experts estimate that 1 individual’s email account is more likely to be broken into than their house. Cybercrime Cybercrime takes many different forms. The most spectacular crime is mas- sive theft of critical personal information. Companies that hold this informa- tion can do much to prevent these thefts, but we individuals have little power because we have no control of the vulnerable systems that process and store our information. 1CBS. “ These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s the CSI Cyber team when you need them?” March 3, 2015. www.cbs.com/shows/csi-cyber/news/1003888/these-cybercrime-statistics- will-make-you-think-twice-about-your-password-where-s-the-csi-cyber- team-when-you-need-them-/. Accessed December 2015. 4 Chapter 1 | What’s Biting Us SOME USEFUL CYBERSECURITY JARGON • Attack surface: All points vulnerable to attack on a computer, network, or system. The attack surface usually does not include the human element, which is often the greatest vulnerability. • Attack vector: A route or method allowing an invader to enter or compromise a computer, network, or system. • Exploit: An invasion of a computer system. Also the method and the system defects used for an invasion. • Hacker: Traditionally, someone who writes or studies computer code for their own satisfaction rather than a job or school. Some hackers code for illegal purposes. Hacker now often means “system invader.” • Malware: Malware is any software designed to perform harmful activities. Viruses and worms are both malware. • Social engineering: Using human weaknesses as an attack vector. • Virus: A virus is a fragment of code that attaches itself to another file. When the file is accessed, the virus will infect other files. It may spread to other devices by emailing itself or some other method. • Worm: Worms are programs that travel from computer to computer, usually doing damage along the way. Worms can replicate and move between devices autonomously. The number of pieces of data and enterprises hacked into are surprising. RSA is one of the largest providers of security certificates used to guarantee that Internet sites are who they say they are. A major security company is, one would hope, an unlikely candidate for a hacker intrusion, but in 2011 RSA was 2 embarrassed to be hacked to the tune of tens of millions of employee records. People think of hackers as Lisbeth Salander from Stieg Larsson’s Millennium Trilogy or Garcia on the television series Criminal Minds; geniuses who can work miracles from any computer attached to the Internet. In minutes, they hack into any computer anywhere and extract the precise information they need. That is not exactly the way real hacking works. 2 See Taylor Armerding, CIO, February 16, 2012. www.cio.com/article/2399262/data- breach/the-15-worst-data-security-breaches-of-the-21st-century.html. Accessed December 2015. Personal Cybersecurity 5 In the 1960s and 1970s, anyone working on a computer and not performing an assignment from a business, school, or government was called a hacker. Programmers and administrators who worked after hours on their own c omputing projects and students who hunched over terminals working on unassigned tasks were all an anomaly. These enthusiasts occasionally drifted past official rules either unintentionally or from curiosity, but seldom with malicious intent. But as computing advanced, some of these unofficial experts began to take advantage of opportunities for mischief and gain that they dis- covered in their preoccupation. The hackers of today have a range of profiles. Some merely push boundaries for pleasure. Enthusiasts who spend hours searching for undocumented ways to change the behavior of their personal computers are at this end of the spectrum. Some of them are white hats: hackers who are paid by businesses and law enforcement to find security flaws by acting like black hats trying to break in. In the middle of the range are hackers who claim to perform victim- less crimes that affect only institutions, not people. Other hackers claim to be activists who only hack for benevolent or political purposes. At the far end, organized criminals use hacking skills to wreck and steal. The most danger- ous of these gangsters have adopted the brutal tactics of organized crime. Government or military operatives who create and use cyberweapons often are the authors of the most destructive exploits. The Target Corporation Heist How do hackers steal? Examining a well-known exploit helps explain what they do. A few days before Thanksgiving in 2013, hackers began an exploit that eventually stole information from 40 million credit and debit cards from a mass retailer, Target Corporation. To put this another way, more than one person in ten in the entire United States had a card number stolen. The stolen card numbers and other information were spirited off to “dark” trading sites, sort of criminal eBays, and sold for a few dollars apiece to other criminals called carders, who manufacture new cards bearing the stolen data. They use the fake cards to purchase expensive items on the unsuspecting cardholder’s accounts. The purchased items are often sold on the real eBay. Like most hacking exploits, the Target heist began with social engineering. See Figure 1-1. Social engineering is jargon for tricking a person into revealing information that a hacker can use to gain entrance to a system. The tricks can be elaborate, often involving meticulously prepared fake emails, or simple, like asking someone for their password for a seemingly innocent purpose. Disgruntled former employees are often willing to be social engineered into helping with, or leading, an invasion.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.