Don’t be fooled into thinking that your personal devices and data are safe because they are not as tempting as business computer systems . Unless your data is uniquely desirable, it is true that your personal smartphones, tablets, laptops , and desktops are not as rich a target as corporate servers that hold payment card information for millions of customers, myriad personnel records, employee health data, and proprietary documents to sell on the black market . Businesses will pay large ransoms when profitable business is slowed or halted by a clever hacker . Hacking into national and international businesses and governments is the big time for hacking. The most skill and effort is directed toward the big targets.
Despite tempting business and institutional targets, hackers still have abundant time and energy for attacking individuals. Although the payload may not be as great, breaking into a personal computer is often less risky and technically easier than breaking into a corporate or government system.
Security specialists sometimes rank cybercriminals based on their expertise and their supporting organizations. The most powerful are highly trained and experienced government agents and military personnel with nearly unlimited equipment and support staff. They are prepared to break in anywhere and their potential for mayhem is as unlimited as their resources. At the other end of the scale are script kiddies. They have little training or experience, but they know how to download prepackaged hacking software from the Internet and follow the instructions to damage their victims.
No system is safe from a top-flight and well-supported cyberinvader, but a carefully secured personal system can give pause to even the best. A personal computing device on which security is ignored is up for invasion by a script kiddy .
Unsecured personal computing devices are sitting ducks with valuables that cybercriminals want. An unsecured personal system is an easy and tempting target, especially to invaders at the low end of the skills and resource spectrum. In this chapter, I will go into detail about what these invaders want and the damage they can do. Chapter 9 details the steps individuals can take to secure their personal computing devices. Using Chapter 9 your devices will no longer be easy targets waiting for an invasion. If you get scared, you can skip to Chapter 9. However, I suggest that you first read the intervening chapters, or you may make the worst mistake of all: thinking that the steps to secure your computer are not worth the trouble.
Pwning
Pwing is hacker and gamer slang. Legend has it that years ago, a numb-fingered hacker gained access and control of an enemy’s computer and intended to crow about it in an Internet chat session. Instead of typing “I own you,” his finger missed the “o” and hit the adjacent key, “p,” typing “I pwn you.” From that day on, taking control of someone else’s computer was known as pwning. Gamers picked it up and use it to mean “I totally dominate you in this game.” Other gamers maintain pwn is a misspelling that appeared in a video game. Which story is true? It is hard to say.
The pronunciation is variable. Some say it is pronounced “pone” as in cornpone; others pronounce it “pawn” as in chess; yet others insist it has no pronunciation because it is only used in text messages and chat rooms.
The sources are notoriously unreliable. No matter which origin or pronunciation, being pwned is unpleasant.
Birth of a Pwn
It is easy to joke about pwning, but it is also the quintessential hack job and a building block of most sabotage and cybercrime . Desktops, laptops , tablets, and smartphones all can be and are pwned. Some vendors claim their devices are invulnerable. That has repeatedly been proven untrue.1
Although it is possible to break into a system directly in several ways, the most frequent attacks are through phishing and drive-bys . A phisher tricks his victim into opening an email attachment , which executes and infects the victim’s machine or leads the victim to a phony web site where they are tricked into entering their credentials . The executed code usually establishes an entrance to the system (backdoor) that the hacker can use surreptitiously. The code will also send a message to inform the hacker that a new device has been pwned. A drive-by does the same thing but instead of email, it uses weaknesses in web browsers to fire off code that infects the victim’s device. Drive-bys are harder to avoid than phishing expeditions because victims can avoid infection from phishing by not opening attachments or entering credential ; to avoid drive-bys, the victim must avoid clicking on links to drive-by sites or avoid executing the code used by drive-by sites.
When a victimized machine is infected, the hacker obtains access to the victim’s device through a backdoor , which is also called a remote access tool (RAT). The RAT could be distributed with the operating system , like the Windows Remote Desktop or something special coded up by the hacker. Documented points of entry are usually not called backdoors, but they do similar things. There are many legitimate uses for RATs, such as remote maintenance and troubleshooting, but they are also hacking tools. Hackers usually prefer to use RATs designed for hacking, which are clearly backdoors . There are a number available for downloading. In a pwn, the RAT may be opened up immediately, but it is often easier to open the RAT on the next boot of the victim’s computer.
If the victim is lucky, antivirus software will detect and remove the infection before the hacker begins to use the RAT. Depending on the infection and the antivirus software , the infection could be detected in real time when the infection occurred or in a scheduled or manually started virus scan . The interval during which the infection can be caught before damage is done can be short, which argues for frequent virus scans. Real-time detection will not always catch all infections; frequent virus scans in addition to real-time detection are an excellent idea. However, an infection cannot be caught if the antivirus software does not have its signature. Installing the latest signatures helps catch the latest infections, although there is always a chance that a new virus will not yet have a signature.
Aftermath of a Pwn
When the RAT is in place and the hacker has access, the real destruction can begin. An important point here is that the hacker’s job is much more difficult, if not impossible, if the hacker does not have administrative privileges . Although the hackers may find a way to give themselves administrative privileges later, hackers inherit the privileges of the user account they use to enter the device, which is the user who triggered the initial infection. Therefore, avoiding assigning administrative privileges to the primary account on a device makes the device less vulnerable to attack.
One of the first steps of a sophisticated pwn is to make the infection harder to detect and remove. This includes mutating the infection software so that it no longer conforms to signatures known to antivirus software. That can mean making the signature unique to the device. If the antivirus program looks for certain file names, the names can be changed. If the antivirus program looks for patterns in the binary code, these can be disguised or moved around. The infection can be hidden off the hard disk or in areas usually reserved for the operating system . For instance, key virus code can be tucked into static memory in the Basic Input/Output System (BIOS) that runs before the operating system starts up. If the infection does this, a complete removal and replacement of the operating system will not eradicate the infection.
When the pwn is complete, the nasty fun begins. The infection can change filenames and modify file contents to suit the hackers' purposes. It can also change permissions on files so they cannot be opened or executed. Best of all, the intruder can change passwords and remove or change the privileges associated with accounts. When this happens, the victim has lost control of their own device. At that point, the victim has few alternatives. The device may still be recovered but a complete restore to factory defaults may be quicker and easier.
If the hacker remains in stealth mode, they avoid detection and allow the user to think they still own their device. The hacker can begin to mine the resources of the device. All the interesting data and passwords can be stolen. Data lockers , often called ransomware, can be set up. Webcams can be used to spy on users. Perhaps compromising photos can be sold or used for defamation or blackmail. Internet of Things (IoT) controls can be fiddled with, such as unlocking the front door for a burglar who has been informed that the house will be vacant for a few hours. The hacker may install a key logger, which will capture and record every keystroke from the keyboard in a log and send them to the hacker. A key log is a great source for information like bank account numbers and passwords that the victim was careful not to store on the device and only transfer through secure communication channels. And then there is the possibility of becoming a bot, hired out by the hacker to send spam or participate in denial of service attacks.
Stealing Your Data
You may expect that a hacker’s prime target is payment card information, but this is not quite as attractive as it may seem. Most individuals have only a handful of payment cards, many only a single debit card and a single credit card . This is not a rich haul compared to 40 million cards taken in the Target heist. In addition, most people do not store their payment card information on their computers. Payment cards only sell for a few dollars on the black market . If the hacker decides to cut out the middleman and use the cards, they expose themselves in ways most hackers avoid, such as being caught with a stolen card in a store. Although a hacker will probably grab payment cards when they have the opportunity, they are unlikely to invade a personal computing device for payment cards.
Passwords
The passwords stored by browsers are an attractive prize for hackers. All browsers offer to memorize usernames and passwords. Browser stored and managed passwords are a great convenience that most users pounce on. After the browser has captured a password, the user does not have to think about it again. However, this is a mixed blessing because all a hacker has to do is bring up the browser , go to the stored passwords, and pick up the keys to your kingdom.
Browser developers have tried to make hacking more difficult. Firefox has a master password that users can set. Chrome uses a Google account password and Microsoft uses a Microsoft account to access passwords. There are advantages to both methods. By basing browser stored password protection on accounts that are used for many different things, those accounts become single points of failure. In other words, if OneDrive is hacked, so are the passwords in Edge. However, Chrome and Edge are more convenient because users are probably already signed into their Google or Microsoft account when they are asked for an account and password in their browser . The Firefox master password has to be entered each time Firefox is brought up, which is annoying, but a hacker has to work harder to get the password.
If the invader has installed a key logger, all bets are off. The key logger will record all passwords (and everything else) that are entered through the keyboard, including Microsoft and Google account passwords and Firefox master passwords . This underscores the benefits of detecting and removing malware as soon as possible.
The best prizes are passwords to sites like bank and stock trading accounts that offer opportunities to steal large amounts of money quickly. Access to a credit card site can be used for identity theft and help in crafting personalized social engineering exploits that might appear as emails to your friends that are made credible by personal information gleaned from your device. Purchases can be made from confederates selling on EBay and instead of sending the merchandise, the confederates forward money to the hacker . When the authorities investigate, the criminals have turned into phantoms and disappeared.
From your computer, a hacker can gain access to your cloud accounts, including your backups , your documents, and data in cloud storage (virtual systems running on cloud facilities like Amazon Web Services or Microsoft Azure).
Hackers are also looking for game accounts such as Steam and Xbox and entertainment accounts such as Hulu, HBO, and Netflix . Rumor has it that there is a thriving market in reselling stolen Netflix accounts. License keys for operating systems and applications are also nice lagniappes that a hacker may be happy to latch onto.
Email account passwords are a special prize. By reading email, hackers obtain facts and details that they can use to make a person’s life miserable for years to come. If they have not learned it already from Facebook , they can learn about the victim’s family and friends and collect their email addresses, which opens all of them up for spam , harassment, and phishing , no doubt using the victim’s name. They can develop a detailed profile the victim and use it for repeated identity thefts.
If the victim’s healthcare and insurance providers use email to communicate with the victim, the hacker scoops up the victim’s health information. Emailed bank and other financial statements are open to the hacker, as are receipts and invoices from vendors.
If the victim ever corresponds with their employer or customers, the hacker picks up inside information they can use to social engineer their way into those businesses. If security breaches are traced back to the victim, restoring trust may be difficult and time-consuming.
Documents
The documents stored on a victim’s computer can also be valuable, although they are often individual and require more special knowledge to evaluate and exploit. Therefore, they are more likely to be taken in an attack that is directed toward a specific person rather than a blanket sweep of vulnerable devices.
There are many candidates for document theft. Business documents, tax filings, contracts, legal documents all might be used fraudulently. Health documents, appointment calendars, and to do lists are good materials for developing social engineering scams.
When a computer is hacked, documents or photographs that are in some way embarrassing or compromising are often publicized on public media. There is also potential for blackmail or other forms of extortion .
Other potential document losses are copies of reports, creative works, and photographs. EBook and music libraries can also be lost, although most of these are also stored in the cloud and are relatively easily replaced.
File encryption is a common strategy for protecting documents. Microsoft provides their BitLocker service on Windows . BitLocker encrypts and decrypts all the files on a device’s disk automatically with only minor performance degradation on recently manufactured devices. There is some controversy over whether or not Microsoft has provided a backdoor for government agencies, but the encryption itself is considered secure. BitLocker is not available on home and student versions of Windows .
Threatware
Threatware attempts to extort money from its victims by making threats. Some of the threats are idle, others are chillingly real. A common threat is to render your data inaccessible to you.
Data lockers , often called ransomware, lock up the data and resources of personal computing devices so that their rightful owners can’t get to them. Data locking amounts to an extortion scheme. The fundamental pattern is a message that pops up demanding money to restore access to your computer or to avoid some disaster. Sometimes the threat is real, sometimes not.
Data locking is probably the most direct route between a personal computer and a criminal’s payday. And the criminals often succeed. A hospital in southern California paid out $17,000 to regain access to their data files. Criminals encrypted system and data files, then demanded payment for the decryption key. With their computer system effectively stopped, the hospital staff had to revert to pen and paper for record keeping and communications, which slowed operations and eventually may have affected patient care. The hospital administration determined that paying off the extortionists was the best choice. After paying in Bitcoins (see sidebar below), the hospital successfully restored their system. The entire episode took place over a weekend.2
Some of these methods involve little computer engineering. These scams can be as simple as a clickbait website. The bait is something like “Never before seen photographs of sexy top models and adorable kittens.” Well, who could pass that up? But on clicking, the screen says “Child pornography download attempt. The FBI will be notified immediately unless a $1,000 purchase is made at the Mean Pirate Haxx web site using the coupon code X666X.” No ugly child pornography was involved and nothing was done to the victim’s computer. A surprising number of victims have been frightened by similar web sites into paying.
A scam like this is pure fraud. The perpetrator in this hypothetical case is vulnerable because PayPal, credit cards , and similar payment services are not anonymous. Recipients who do not carefully cover their tracks can usually be traced and the operators of most payment services are eager to prevent their services from being used fraudulently.
Anonymous digital currencies like bitcoin work better. They are designed to be as anonymous as cash transactions. That is a boon to cybercriminals because physically exchanging and transporting cash does not mix well with cybercrime .
Ransomware that threatens but does not damage is not as lethal as ransomware that modifies the victimized computer. This kind of ransomware changes filenames and permissions , modifies configuration files, or installs code that interferes with normal operations. There are many possibilities, and cybercriminals are creative.
Now, the most prevalent type of ransomware encrypts the files on the victim’s computer and then demands ransom for the decryption key. The hospital attack described earlier is an example of this kind of attack. Antivirus tools are ineffective against this kind of malware , unless the tool detects and eradicates the infection before encryption starts.
CryptoLocker is a well-known example of effective and vicious ransomware . It has been very successful at extorting from its victims. In 2013, CryptoLocker’s take was estimated to be in the hundreds of millions of dollars.3 CryptoLocker was taken down in 2014 by global law enforcement.4 However, malware as lucrative as CryptoLocker quickly comes back to life and there are now similar attacks occurring. CryptoWall, TeslaCrypt, and TorCrypt have all sprung up in the wake of CryptoLocker. Linux and Android are now targeted in addition to Windows systems.5 The Apple OS X operating system for Mackintosh is related to Linux and is likely to be targeted soon, if not already.
A CryptoLocker-type infection typically begins with a targeted phishing attack with an attachment that infects the system when it is opened. The infection is dormant until the next time the affected computer is booted. The malware connects with its server. The server creates an asymmetric encryption pair of a public encryption key and a private decryption key, and sends the public key back to the infected computer. The infection works in the background, using the public key to encrypt files selected by extension. Targeted files include Word documents, Excel spreadsheets, photographs, and so on. The list is long and the encryption process can take several days. When the encryption is complete, the ransom message appears. The message demands a payment for the private decryption key.6 See Figure 4-1.
Figure 4-1. CryptoLocker infection communicates between the victim, the hacker , and the victim’s device
The malware is insidious. It doesn’t just encrypt the files on the computer; it also finds all network drives and attached drives such as external hard disks, flash drives , and memory cards. These too are encrypted.
Decryption is practically impossible without the private key. Some public services have collected sets of decryption keys that have been found on victimized systems. They attempt to use these keys to decrypt files, hoping that keys have been reused. This does not always work because the miscreants either assign public-private key pairs individually, or have a large number of pairs to draw on.
An antivirus tool can prevent this kind of attack under certain conditions but there are many limitations. The tool must have the signature for the infection. If the infection is new, or a recent variation, a signature is not likely to be available. If the tool has the signatures for the infection and the tool understands the modifications made by the infection, the antivirus can remove and reverse the changes, but it cannot unencrypt. Files that were encrypted before the infection was stopped remain encrypted. After files are encrypted, antivirus tools may not run in the normal fashion because the victim cannot execute anything on her computer. This can circumvented by putting the antivirus program on a bootable USB or DVD. After booting the system from removable media, the antivirus program can scan the hard drive to wipe out the ransomware , but that only prevents further encryption, it does not decrypt encrypted files.
Antivirus tools work best if they find the infection before encryption starts. This period can be a few minutes, or a few days. Usually, the ransom message does not appear until the encryption is complete or well under way.
Victims whose files have been encrypted have two practical alternatives: pay the ransom or restore from backup . The brutal fact is that most victims do not have adequate backups to restore their system. To begin with, unless backup systems are regularly checked, including trial restores, they can easily fail. In addition, ransomware is invidious in its encryption of attached and network drives , which many users rely on for backing up. Backups that are not touched by the attack can be still be ruined if the backup program does not keep successive snapshots of the system, because an automated backup that runs during the encryption can overlay readable files with encrypted copies, rendering the backup useless. The best defense against a CryptoLocker type attack is a carefully thought through backup strategy carried out and maintained meticulously.
In 2015, the FBI recommended that victims of ransomware pay the ransom.7
Sabotage
Some hackers are saboteurs whose goal is damage rather than material gain. Some are out to avenge some real or imagined slight. So-called hacktivistsuse hacking to support political positions. Teenage hackers vent adolescent frustrations with destruction and crime. Not a few cybersaboteurs try to show off their technical prowess at annoying others. Some are genuine idealists with impersonal goals. Yet others are extortionists.
Cybersabotage is unauthorized, intentional, and malicious interference with the normal processes and functions of a computer or system of computers. It can cause the destruction or damage of equipment or data. It can also prevent a system from fulfilling its purpose by interrupting or modifying processes. The implications for personal computer users and sabotage have grown as the IoT expands.
Supervisory Control and Data Acquisition
Industry has made progressively more use of supervisory control and acquisition (SCADA) since computerized control was introduced in the 1970s. During that time, the efficiency and capabilities of industrial processes have grown immensely due, in part, to SCADA. Understanding SCADA is important to personal computing because the IoT has extended the use of SCADA from industry to personal computing.
SCADA impacts many aspects of society. It prevents accidents like oil refinery explosions and nuclear plant meltdowns. Although these accidents still occur, many more are prevented by computerized control . Without SCADA, automobiles would be more expensive and less efficient. SCADA has made many industries more productive and safer. To implement SCADA, engineers place sensors at critical points in a process.
For example, sensors measure critical temperatures, pressures, and other aspects of processes in an oil refinery. The measurements are transmitted to a central computer and displayed to human managers. The human managers are able to respond to the measurements by operating controls through the same computer. In some circumstances, the computer itself responds to conditions faster and more accurately than human capabilities.
The net result of relying on SCADA is greater safety and efficiency. The production of some products would not be possible without the precise and instant control that SCADA provides. Industrial disasters are prevented by SCADA controls. Transportation, such as airlines and railroads, relies on SCADA for keeping passengers safe. Automobiles use less gasoline when SCADA continuously tunes the carburation. Skids are controlled by SCADA-assisted braking. Driverless cars are also an example of an application of SCADA.
The industrial benefits from SCADA point to a future with more efficient houses and appliances that will make lives easier and safer. As the IoT grows, SCADA will also make possible new services and capabilities that have not been thought of yet.
However, SCADA is not perfect. Every system, both human and computer, sometimes fails. Major disasters have been SCADA failures. Some of these failures have been attributed to cybercriminals .
In 1999, an oil pipeline ruptured and dumped over 200,000 gallons of gasoline into a creek flowing through Bellingham, Washington . The gasoline ignited over a 1.5-mile stretch of the creek. The explosion burned to death a fisherman and two young boys playing at the creek’s edge.8 The damage to property was in the tens of millions of dollars. The reasons for the rupture were complex, involving construction that accidentally weakened the pipeline, control errors, and administrative issues. The National Transportation Safety Board (NTSB) found that the disaster would have been prevented if the SCADA system had functioned properly.
The NTSB did not conclude that the disaster was the result of hacking, but they pointed out evidence suggesting that a hacker could have caused the disaster. A malfunctioning valve closed downstream from the rupture, causing a pressure spike. If the SCADA system had been functioning properly, the pressure spike would have been detected and the system would have compensated, preventing a rupture in a compromised section of pipe. The human operator did not react promptly. This may have been inattention or inadequacies in the user interface, but the SCADA system was sluggish at the time and likely prevented a quick response.
SCADA sluggishness may have been caused by a poorly timed or faulty software maintenance procedure, but the system was not well secured against unauthorized entry. The NTSB pointed out that as the system was configured, a hacker could have caused the sluggish responses although there was no positive evidence for an outside intrusion.9
Home SCADA
The IoT has introduced SCADA to the home. Our houses and our families are now subject to the same kinds of attacks and hazards that affect a petroleum pipeline or a hydroelectric plant. Unfortunately, IoT designers have often left security holes in their rush to convenience. These flaws have given hackers opportunities for a new range of malicious exploits. For example, some heating systems now have interfaces that turn the heat up or down in response to a message that arrives over the Internet or a cellular network. If a hacker breaks into the system and fiddles with the controls, they might be able to adjust the controls to overheat the heating unit and start a fire.
Alarm systems and webcams are also personal systems that are opportunities for interference. The hacker can break into the control mechanisms for the devices. Alarm systems can be disabled or set off false alarms. Webcams can be used for spying. This applies to all webcams, including those used for surveillance or nanny cams that are used to monitor babies and children. These security devices can themselves be insecure.
In the last few years, more and more automobiles are connected to the Internet while they are driven. If a car is connected to the Internet, hackers will eventually discover ways to break in. When they do, they will be able to compromise the vehicle’s SCADA. Who knows what they will be able to do?
IoT has tremendous potential. Computerized remote control is efficient and convenient. Using SCADA technology can make life easier while consuming less energy to achieve more. Computerized control never daydreams and its reactions are never dulled by illness or a poor night’s sleep. But computerized control is also a threat because it can be sabotaged remotely. An unsecured system can be pwned and twisted to the purposes of an invader. The results may not be the equal of the Bellingham pipeline explosion, but they can be devastating to an individual.
Personal Sabotage
Computer systems have improved since the Bellingham pipeline catastrophe, but the enormity of the damage cannot be forgotten and the evidence that cybercriminals could have caused the catastrophe is still troubling.
Hackers can cause disastrous physical damage when they attack industrial systems, but they can also cause damage when they attack personal computing devices . Even script kiddies know how to render a computer unbootable by deleting critical system files. With more skill, a hacker can stop the system cooling fans, force the processor into an overclocked mode, and overheat the processor to the point of destruction.10
Another way to damage a system is to replace device drivers, the software that communicates between an operating system like Windows or Linux and hardware such as keyboard or network interface cards. The keyboard driver could be modified to record keystrokes and the network interface could record network communications. For sheer annoyance, a derelict mouse driver could scramble messages causing the mouse to work in reverse or exhibit other strange behavior.
The data stored on a computing device is a wonderful opportunity for destructive mischief. A subtle hacker might change file contents to do damage that would not surface until long after the break-in. One example is logic bombs. These are chunks of code that are designed to do something, usually malicious, under specified conditions. A mild example is a logic bomb that would trigger posting an offensive Facebook message. The trigger could be a date and time, a message from the hacker , or a complex combination of factors, like a call from a certain number on a smartphone , the outdoor temperature, the time of day, and a text from the FBI . Depending on the likelihood of meeting the conditions, a logic bomb can lie dormant for years.
Invasion of Privacy
Privacy is not a constitutional right in the United States. The United States Constitution does not contain the word privacy and there is no explicit right to privacy defined there. The current interpretation of the right to privacy is based on inferences from several amendments, including rights to free speech, due process, and strictures against unreasonable searches and seizures. It is also derived from statutes and common law.
Although privacy is not a constitutional right, it is well established. Today’s legal concept of the right to privacy comes largely from an influential Harvard Law Review article written by Samuel D. Warren and Louis Brandeis in 1890.11 Brandeis and Warren collected concepts and precedents and combined them into a statement of the right to privacy that has been accepted by the legal community, including the Supreme Court. The Warren-Brandeis article was written in response to new technology and business practices that were appearing at the end of the 19th century. They argued for extending traditional protections to provide protection from a new environment. They maintained that previous legal protection against trespass, libel, and other personal invasions would not adequately protect individuals from threats to privacy arising from business and technological innovations of the day such as sensation-seeking newspapers and predatory photographers.
Warren and Brandeis formulated several principles that underlie the concept of privacy. Privacy rules do not stop publication of material that is of general or public interest . This principle distinguishes private from public, but it can be difficult to apply. For instance, some facts of a public official’s life may be of public interest, but the same facts of an ordinary citizen are not of public interest. Warren and Brandeis use the example of a private citizen who cannot spell. This, they say, is private and not of public interest, but the spelling skills of a member of Congress are of public interest .
Other principles include that when individuals publish facts about themselves, the facts, no matter what they are, are no longer private. Revelations made in court or other public bodies are also not protected by privacy rules . The truth or falsity of published material does not affect privacy rights , nor does the presence or lack of malice affect the right.
Although privacy has been established as a basic right, distinguishing public and private is still subject to controversy. Should the government have the right to peek into personal emails to identify terrorists? And what constitutes intrusion? One view says surveillance by a human is forbidden but a computer algorithm that scans email for suspicious patterns should be permitted. Others say that an algorithm is the same as a person. Others argue that viewing any aspect of information that is not explicitly public is a violation of privacy rights . Other questions revolve around due process. Is a search warrant adequate to allow law enforcement to examine any computer file? Are there circumstances under which officials may conduct secret searches of computer records without the knowledge of the owner? These are difficult questions that are still to be determined.
Statutes from several states define computer invasion of privacy explicitly as the intentional and unauthorized use of a computer or computer network to examine certain kinds of information. The information protected varies from statute to statute, but typically includes employment, health records , financial, and identifying information. The penalty for violation of the statutes also varies; some class the violation as a misdemeanor, other class it as a felony.
Identity Theft
Identity theft is using the persona of another person without their permission . It has many criminal uses, but it begins with collecting identity credentials for a victim and using them fraudulently.
Credentials can sometimes be obtained legally from public sources. Identity thieves can be creative and diligent in mining public sites for information. Social security and driver’s license numbers are the two foundations for establishing a fraudulent identity. Payment card numbers are also used. An account name and password for a banking site may be all that is needed to set up a new credit card unknown to the real owner.
Personal details are useful secondary information. Posts on social media such as Facebook are one source. For example, birth dates are often part of establishing identity and these frequently appear in social media. Names of children, other relatives, and friends can all help build a convincing persona. Real estate purchase dates and prices often appear on real estate sites like Zillow. Public court records often contain useful facts for establishing credentials . Identity thieves also look through trash and paper mail searching for useful information.
Sometimes facts are stolen. Hacking into personal computing devices is one way of obtaining credentials ; hacking into government and enterprise computers and stealing information wholesale is another. There is a ready market for stolen identity credentials . Often the identity thieves buy stolen credentials rather than steal themselves.
According to the Federal Trade Commission ,12 the most common use of identity theft is tax fraud, which soared from 2014 to 2015, increasing from 32% of identity theft crimes to 45%. Typically, a criminal will file a fake tax return for a large refund in a legitimate taxpayer’s name using stolen credentials . When the victim files their legitimate tax return, it is rejected as a duplicate. At that point, the legitimate taxpayer is out their refund and the identity thief has cashed the refund check. Unchecked, the legitimate taxpayer could be penalized for the fraudster’s unjustified refund. This kind of fraud was made easier by unintended consequences of efforts to speed refunds. To succeed, the thieves must file the fraudulent return before the victim or the return will be flagged as a duplicate and carefully examined. If the refund is prompt, the thief is likely to have cashed the refund check before the legitimate return is filed. Apparently, in the interest of prompt refunds, the IRS has also been less through in verifying the supporting documents such a W-2 forms before releasing the refund, which has reduced the likelihood that the thief will be caught. Getting the jump on the criminals and filing tax returns early is a useful defense against tax fraud of this kind.
A stolen identity has uses other than tax fraud. Opening a line of credit or credit card under a stolen identity is also common. In order to secure a new credit card, an applicant must convince an officer of the credit-granting organization that they are deserving of credit. That decision usually is confirmed by an authentication of identity and an adequate credit history. If the thief can authenticate himself as a person with a good credit rating using fraudulent credentials , the thief gets the line of credit , typically in the form of a new credit card. At that point, the thief charges the credit card to the limit and exits the scene. The person whose identity was used gets the bills.
This is different from using stolen payment card information and is potentially much more dangerous. Stolen payment card crimes are usually relatively easy for victims to resolve and the card holder almost always suffers little or no loss. Usually the organization extending the credit must pay the bill and the victims go on their way without much damage.
A stolen identity is more difficult to prove and remedy. The process can go on for years and the victims are plagued with one sting after another.
Fortunately, access to credit ratings is controllable, although exercising the control involves phone calls and tedious paperwork. A potential victim can freeze or put a fraud flag on their credit record. A fraud flag or freeze will prevent the thief from getting new credit cards or other loans. There are only a small number of well-established credit rating agencies (four at the time of this writing). These agencies usually keep each other informed of freezes, but it is best to check whether a freeze has been propagated. When potential victims fear identity theft, they can contact the credit rating agencies and ask that their credit be frozen. No access is granted to a frozen account until it is unfrozen. A respectable credit granting agency will not grant credit without access to credit reports, so the thief is blocked from new lines of credit. Some states mandate free credit freezes when credentials are stolen; other states do not regulate fees for credit freezes. In most cases, credit freeze fees are worth peace of mind they bring.
Security experts say that freezing credit stops the consequences of identity better than the credit monitoring services that are offered as free compensation by breached organizations like Target in 2013.13 Credit monitoring services inform the victim after suspicious activity in their name, but they do not stop the activity. The victim is still left with paperwork and hassle to recover their stolen identity. When victims are offered free monitoring, they should by all means take the free offer, but still get a credit freeze or fraud flag.
Some people who feel they are especially vulnerable to identity theft freeze their credit continuously, renewing the freeze each time it comes due. They unfreeze and immediately refreeze when they execute a transaction that requires a credit check.
Identity thieves use stolen identities for so many purposes: to avoid prosecution for crimes, to hide medical problems, to fraudulently obtaining medical care, and to falsify employment records or credentials . The list is long and after identity is stolen, each of these possibilities may require different actions to straighten everything out. Regaining a stolen identity is often a long hard path. The Federal Trade Commission provides some help on a website that helps victims of identity theft enter a report and formulate an individualized recovery plan, but executing the plan is left to the victim.14
Sorting Out Data Loss
An inventory of the valuable data stored on a personal computer , laptop , tablet, or smartphone is an important aid in damage control after an invasion. You will need this information to plan for recovery. At the moment you are hacked, you should not scratch your head and wonder what your devices hold that can be exploited. Most people are busy enough eradicating the malware that has been planted on their computer. There is not much time or energy for working out a list of people and institutions to inform and countermeasures to take to avoid or minimize financial or reputation loss.
An inventory does not have to be elaborate to be useful. Prioritization is important. Everyone has their own priorities, but a few questions are crucial:
What is on the device to be lost?
How hard will it be to replace the loss?
Can the loss contribute to identity theft?
What damage could the loss do to reputation?
For most people, the first question will be about money: compromised bank accounts and other financial sites. A victim’s best interest is to inform these institutions as soon as possible. They can activate their damage control systems and minimize the damage to you. What you don’t want to happen is to forget to inform a bank or a retailer in the excitement. A plan for responding to a successful computer invasion can avert frustration and grief.
Surely the most difficult things to replace are personal photographs. Hackers are not likely to bother to permanently delete data like photographs, but it is possible in the aftermath of a ransom attack. Financial records stored in computer files may also be hard to replace. Documents such as building plans may also be important. Legal documents , such as contracts, may be nearly impossible to replace unless they are registered with the courts.
With all the use of online materials today, the inventory can be large. Recovering materials lost in an invasion can be impossible without reliable backups . By identifying the important materials in your inventory , you can quickly identify your losses and make sure your backup is safe. Also, a listing of irreplaceable or hard-to-replace materials ought to prompt you to verify that your backup system is backing up the right files.
In addition to losing dollars and cents, and treasured documents, losing identity , reputation, and self-esteem must be considered. We think of our computers as private , but hacking turns them public. You should have a plan for warning your friends and relatives that they might receive spam or strange emails that look like they came from you. You can let them know that they could be sent by a hacker and you can explain that they should neither believe or act on them. This will increase your chance of avoiding an embarrassing or damaging consequences.
For example, if you tell your boss about a break-in before the repercussions begin to fall from the sky, you may be able to explain away that the venting email using ill-chosen words that you sent to a friend and the hacker passed on to her. At least you could get some credit for stepping up to the problem instead of running from it.
The best strategy for controlling damage after an invasion is to act fast. If you know which credentials could be stolen, you can act faster. When stopping identity theft, even hours count, especially now that loans can be applied for online.
Computer as Target
Personal computing devices present a big target to cybercriminals. The virtues of computing devices are also their vulnerability. Most possessions have a single or only a few uses. A car is driven on roads and highways to transport us from place to place. We preserve perishable food in a refrigerator. Cars will not dig up your water pipes or clean your swimming pool. Refrigerators do not mow lawns.
Compare these with a personal computer . A moment ago, I checked if a prescription was ready at my pharmacy. Now I am typing a draft of this chapter. A few moments before that I downloaded a project management application to manage progress on writing this book. Yesterday, I ordered and paid for a book and a part for my tractor from an online retailer. My wife went online to our bank to transfer money to into a special account. Years ago, I built a system to run on a personal computer that turned on the lights based on the weather report and the time of sunset.15
Cars and refrigerators are comparatively easy to protect from accidents or crime. If you drive carefully, and keep your car locked, you have erected reasonable barriers to trouble. A refrigerator is even easier to protect because it doesn’t venture outside your house or apartment, so the same steps you take to secure your living space takes care of your refrigerator.
In contrast, each task we do on a computer uncovers new vulnerabilities. Some of these vulnerabilities, like access to health records and banking, can be dangerous. And lucrative to criminals who try to take advantage of these weaknesses. Even the tasks that seem innocuous, like opening a document in a word processor, can be dangerous. Macro viruses are common viruses that live in the automatic macros used in documents with most word processors. An infected document can make changes to the computer and invite worse invasions.
The project management application recently I downloaded had a nasty Trojan embedded in the installer. Lucky for me, my antivirus software detected it immediately and quarantined it. My computer could have been pwned. However, I don’t think I was lucky. Catching that Trojan was the result of a plan and caution. The project management software was from an open source group that I was unsure of, so I scanned the installer before I ran it. That was being aware and taking action.
When you know that your personal computer , laptop , tablet, and smartphone are all targets, you can take steps to stop the criminals. They may still get you, but not nearly as often.
Footnotes
1 Apple, for example, has fostered an image of invulnerability. Linux is sometimes claimed to be invulnerable also. Security experts disagree. All platforms are vulnerable. For example, see Gary Davis, “Mobile Myths: Can My Apple Devices Get Hacked?” McAfee Blog Central, Feb 15, 2013. https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/mobile-myths-can-my-apple-devices-get-hacked/ . Accessed March 2016. On the Linux side, see Paolo Rovelli, “Don’t believe these four myths about Linux security,” Sophos Blog, March 26, 2015. https://blogs.sophos.com/2015/03/26/dont-believe-these-four-myths-about-linux-security/ . Accessed March 2016.
2 Richard Winton, “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating,” Los Angeles Times, February 18, 2016, www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html . Accessed February, 2016.
3 Violet Blue, “CryptoLocker’s crime wave: A trail of millions in laundered Bitcoin,” ZDNet, December 22, 2013. www.zdnet.com/article/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin/ . Accessed February 2016.
4 Brian Krebs, “ ‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker,Scourge,” June 14, 2014. http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/ . Accessed February 2016.
5 Liviu Arsene, “Android Ransomware and SMS-Sending Trojans Remain a Growing Threat,” Bitdefender Labs, January 2016. http://download.bitdefender.com/resources/files/News/CaseStudies/study/85/Android-Malware-Threat-Report-H2-2015.pdf . Accessed March 2016.
6 For a more detailed technical description of what CryptoLocker does, see Octavian Minea, “Cryptolocker Ransomware Makes a Bitcoin Wallet per Victim,” Bitdefender Labs. https://labs.bitdefender.com/2013/10/cryptolocker-ransomware-makes-a-bitcoin-wallet-per-victim/ . Accessed March 2016.
7 The Security Ledger, “FBI’s Advice on Ransomware? Just Pay the Ransom,” October 22, 2015.
https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/ . Accessed March 2014.
8 I have lived in the Bellingham area all my life. I have a distant connection to the two dead boys. Reading between the lines as a software engineer, the NTSB report was tragic. The innocence of the victims was crushing.
9 National Transportation Safety Board, “Pipeline Rupture and Subsequent Fire in Bellingham, Washington June 10, 1999,” www.ntsb.gov/investigations/AccidentReports/Reports/PAR0202.pdf . Accessed March 2016.
10 Overclocking is running a processor at a greater speed than its specification, which causes the processor to generate more heat. Many processors have settings for overclocking, but the chip manufacturers warn against it. Computer game enthusiasts overclock their computers to improve performance, but they add extra fans and other cooling devices to protect the processor from overheating and burning out. Overclocked and undercooled processors can be served with nachos, although they are neither tasty or healthy.
11 Samuel Warren, Louis Brandeis, “The Right To Privacy,” Harvard Law Review, Vol. IV, No. 5, December 1890. http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm . Accessed March 2016.
12 Federal Trade Commission, “Consumer Sentinel Network Data Book for January to December 2015,” February 2016. www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2015/160229csn-2015databook.pdf . Accessed March 2016.
13 Bruce Krebs, “How I Learned to Stop Worrying and Embrace the Security Freeze,” Krebs On Security, June 15, 2015. http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/ . Accessed March 2016.
14 Federal Trade Commission, “IdentityTheft.gov.” www.identitytheft.gov/ . Accessed March 2016.
15 On cloudy days, the lights went on a few minutes earlier.