It’s not just tech support, did you see my previous article on Paying the IRS with Target Gift Cards? I’m glad they were shut down and arrests were made.
If you think you were scammed, report it here https://www.ftccomplaintassistant.gov/ or here https://www.ic3.gov/default.aspx
You should bookmark those links.
During a security conference, a gentleman demonstrated a thermostat that he compromised, lock out the user for a ransom. He was even able to make the thermostat emit a tone only animals can hear. Imagine your dogs or cats freaking out and you have no idea why?
Just an example as many know it costs less than 1 bitcoin to replace a thermostat, but you get the point!
This is why I really love this comic cover that Joy of Tech created. It really unveils just a few of the possibilities!
http://www.geekculture.com/joyoftech/joyarchives/2340.html and they have some rad comics, please help support them.
A huge way we as the public can stop the illustration from happening is to be a little more cyber savvy about what we buy or connect to the Internet. Many of the devices are not built with security in mind. It’s even basic stuff too like having the ability to change a device’s username and password. If manufacturers added small features as that, or having the device force the consumer to change the initial password for it to work (which, sometimes does generate support calls that have to be staffed). Consumers, with the knowledge should not even purchase these devices if they know they aren’t secure, or making extra steps to secure these devices (which is usually left to advanced, in the industry, users.)
Corporate mindsets on the business side also need to realize that risk isn’t just “can I steal a credit card” from Internet enabled devices. There is a lot of indirect risk than financial. Reputational risk is huge! Part of our mindsets should be about due diligence and about being a public steward on safety and security and realizing that Internet connected devices are also computers, sometimes with a web server, that can be:
Who knows what else you can be exploited and blackmailed for.
Anyone bluetooth scanning in your neighborhood?
If you already have devices in your house, don’t brag about them without first locking them down… even then, be a little reserved about it on your social profiles.
Samsung’s money maker, the Note 7 has been having really bad battery problems. They literally burn and explode. Of course the company recalled them as they had a fix, but even the replacements came out having the same problem. Even the FAA has a strong stance on how the Note 7 should be treated on a flight.
http://www.usatoday.com/story/tech/2016/10/11/samsung-stopping-galaxy-note-7-production/91885996/
haha, sexy hacker… hahaha!
who did this?
On September 13, 2016, Governor Jerry Brown signed AB 2525, which amends the state’s data breach notification law (California S.B. 1386) requiring businesses to disclose data breaches to individuals whose personal information has been compromised. Currently, the law only requires businesses to disclose breaches where “unencrypted” information is breached. Under the new amendment, however, businesses must soon disclose breaches even when “encrypted” information has been acquired in an unauthorized breach. Under the amended law, as of January 1, 2017, the notification obligation will be triggered where encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”
Read more on Lexology
I’ve worked a lot of places and it’s amazing how much I’ve observed that the basics are not adopted by everyone. Here’s a quick video from the Center for Internet Security (CIS)
Denial of Service explained:
Computers respond to network traffic, generally. If there was a computer on my network that wanted to talk to my computer, that computer would put out a request to talk to my computer over the network, let me explain with robots and a knock-knock at the door description:
Knock-Knock
“Who’s there?”
<silence>
The lack of answering the “Who’s there” puts my robot in a waiting mode, waiting to figure out who’s there. After a few, my robot gives up and goes back to the kitchen to make dinner.
Don’t make Rosie mad! She can lift a couch with one hand and vaccuum under it at the same time, the only other person I know who can do that is Mr. Incredible!
Imagine now that there are hundreds of knocks on the door, and the robot gets up and tries to say “Who’s there?” to every knock? But it’s the same person knocking. Eventually my robot will just freak out at the door and stop asking “Who’s there?” and will be too occupied to go back to the kitchen and make dinner. That’s how a basic denial of service works.
Now imagine, there was a full on army at the door, and every one of those soldiers was ordered to knock on the door (and every door the house has) thousands of times. The robot will probably go crazy, springs and gears shooting from it’s head and won’t be able to both figure out who’s at the door, nor make dinner! That’s how a distributed denial of service attack works.
Someone (or a cluster of someones) was able to order an army to go knocking on Brian Kreb’s door. That army was made up of soldiers from the Internet of Things. Here’s how that happened!
When there are cool new devices that are connected to the Internet, like security cameras, fridges, thermostats, door-bells, teapots, and even children’s toys! Often times the manufacturer includes the information in the manuals (that can be found online) on how to log into the device and connect it to the Internet. Most people don’t bother changing the password.
The attacker(s) was/were able to use readily available information on the Internet (Check out https://www.shodan.io/ and https://wigle.net/), and write up some malware (called Mirai) that would try to connect to all these devices (with the 61 passwords that people don’t bother changing) and turn them into bots!
Imagine about 3,630,000 of these suckers, each of them knocking thousands of times.
Rosie’s not programmed to do this unfortunately
Even if there was 1,000 robots programmed to cook dinner and answer the door… They’d still have a freak-out time and just stand somewhere between the kitchen and the door, crying and doing neither the cooking or the answering of the door.
The attack even used what’s called a DNS reflection attack, that amplified the traffic, like knocking on the door, but with a giant rubber mallet.
Now that you understand how DoS and DDoS work, you can read some interesting articles here
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
Update 20161022: Advancement on this attack.
Today is NOT ONLY the first day of October, the beginning of a whole month I justify that it’s okay to stuff my face with fun size Twix bars [whispers “Fuck Yeah“], it’s also National CyberSecurity Awareness Month! Not only will I be posting my usual stuff, but I’ll also be supporting YOU with some shareable tips on how to stay safe online!
Here is one of my most favorite videos called, Don’t Be a Billy.
Fear is a strong motivator. Nobody wants to be told they owe on their taxes, that they are penalized, or that they will be sent to jail. I remember when someone tried to vish (voice phish) me and it sounded so serious!
Update: 20161010
![CarmeloWalsh[.]com](https://www.carmelowalsh.com/wp-content/uploads/2025/03/cropped-20250226_105950000_iOS.jpg)
