Synthetic Snake Oil: Online Security Tips

Your reasons for deleting Instagram can be numerous but there are a few steps and some considerations to make before pressing the big red button. If you’ve been listening to the previous episodes about deleting social media accounts, it should come to no surprise that pressing the delete button only starts the process rather than instantly remove your account. What’s also worth noting is that since Instagram is owned by Facebook, there are two options that Instagram has: deactivation and deletion. Deactivation of course means that your data will still be lingering around and Instagram can still use it to sell you stuff. Some other considerations to keep in mind is that you are unable  to get access to your photos, videos, likes, comments, followers, and posts. The exception is if you deactivate your account which you’ll be able to recover that data should you reactivate your account. The other consideration to make is that when you delete your Instagram account you can’t sign up using the same username or email address again. Much like Twitter, you can change your handle at any time too so no worries there if you plan on coming back. The final consideration is to make note that you can always turn your account private. If your concern is restricting who can see your content, but are torn on staying or leaving, this could provide the best of both worlds. To delete your Instagram account is a simple process. It all starts by logging in and going to your settings and going to the delete page. Once there, you’ll need to provide a reason, your username and password. After that, you’ll need to re-enter your password and start the process. If you don’t want to delete your account and prefer to deactivate it the process is similar. Go to your profile and click edit profile. In there, you should have an option to temporarily disable your account which is at the bottom of that page. Just like with deleting your account, you’ll need to re-enter your password and provide a reason as well. To reactivate your account is as simple as logging back in.

Unlike Facebook, Twitter is an incredibly straightforward process when deleting your account. Your reasons for deletion can vary but to delete a Twitter account all you need to do is go to your settings and at the bottom of the page there is an option to deactivate your account. There are a few other steps like entering your username and password again but that’s a safety measure. What’s more important is the considerations revolving around your Twitter account. First off, like Facebook, you can stop the deletion process by logging into your account within 30 days of pressing the deactivation button. But even after deactivating your account, people can still find your account and previous tweets. This suggests that while you no longer have an account, your information is still on the internet for a lot longer. So if you deleted your account to remove specific tweets, you might be better off finding the tweets in question and deleting them directly. Secondly, after you delete your account, you have no opportunity to rejoin Twitter using the same account. What this means is you can’t use the same username nor can you use the same email address. So if you ever plan on coming back to Twitter make sure to change the email address and username of your main account if you have plans of coming back. Naturally if you come back using a new account you won’t have the old tweets, followers, images, or lists. The final consideration I’ll make is if your reason for deleting your account is to change your username, don’t bother about deleting your account. In one of the warning bullets that Twitter has before you start the deletion process reads that you can change your handle automatically. Twitter has made it possible for people to therefore change their usernames on the fly with no worries at all.

Over the years Facebook has done a lot of questionable things. There’s been the 2016 scandal with Cambridge Analytica and more recently Facebook has admitted that it’s been used as a disinformation tool and allowed people to run fake political ads meant to sway voters. On top of that, Facebook has turned into a tool where a lot of information is passed around and Facebook is profiting from it in a big way. It’s to the point that people are uneasy, or angry at Facebook and want to delete their account. While those feelings are certainly warranted, Facebook has not made it easy for us users to delete our account. First of all, Facebook has two methods for us to remove ourselves from Facebook: deactivation and deletion. And while you’d think both of those options are the same there is a huge difference. Deactivation is the process which opens up the possibility of you coming back with all your data intact. Deletion is the process of permanently removing your data from Facebook and is a time-consuming process. It’s also worth noting if you deactivate your Facebook account, Facebook makes all of that data available, even if you never return. That means Facebook still profits from your data even though you’re not using it. Naturally Facebook pushes the deactivation feature more over permanently deleting your Facebook page, but to delete your Facebook account requires a bit of digging. First you click on the arrow in the top right corner and click on Settings. From there click Your Facebook Information followed by Deactivation and Deletion and the Delete Account and follow the steps there. The steps are simple, but that only starts the deletion process. Facebook doesn’t immediately delete your Facebook account. According to their data policy, if you log in within 30 days you can cancel the process. On top of that it’ll take upwards of 90 days for the process to be fully complete. Even after 30 days of the account being deleted you can somehow log into that old account which makes no sense. Some other considerations to have before deleting are the fact that you can’t get access to your photos, videos, and messages. You’ll no longer be able to use Facebook Messenger, and some information will still be visible even after you delete your account. Most of that data is messages you sent to people at the time. That being said, retrieving the data can be salvaged if you consider Facebook’s back up feature. We’ll be seeing similar themes through the other social media platforms when it comes to account deletion.

Are you the type of person who has a smartphone crammed with various apps that you don’t use? Or are you the kind of person who will delete apps after you’ve grown bored of them? Whatever the case is, I bet when it comes to delete those ancient apps that all you do is move the icon to the trash or tap on the x in the corner and purge it from your memory. But for right now, I want you to go back and think back to those apps you deleted. Because how you deleted those apps was all wrong. In many cases with apps, you have likely left an entire account on there: an email address, and maybe a connection to your Google or Facebook account and even a date of birth. Personal data that can be easily taken even though you have removed the app. The reality is that whenever we decide to remove apps from either our phone or computer, there is still data lingering. Yes, whenever you delete apps you are removing all the data you had on that app and it won’t collect any more. However the data that was used to give you access is still on a virtual cloud collecting dust somewhere. In cases where no login data is needed or other personal information, you’re safe to delete it with no worries. However not all apps are like that. They want date of birth, locations, details to various questions and potentially more. The thing is though that app developers will keep that information unless you tell them to delete it. Why they do this is obvious. Apps are all about gathering information so they can provide convenient functions for you. So why they hold onto your data after deleting the app isn’t for malicious reasons. What their true intentions are stems from revenue. As you know, app developers can make money by selling the information to various advertisers which in turn will target you with various adds. All of this stuff is outlined in apps privacy policies, though they mention it in the most roundabout way. And so if you decide to only delete the app, the app developers can still sell that information in the event that you needed personal info in order to use their app. I don’t know about you, but that’s more than enough reason to let them know you want your account details removed when you go to delete an app.

From having a Virtual Private Network to taking extra measures with two-factor authentication, one might think that I’m a bit paranoid about security. I’m sure it’s pretty obvious since some of my advice in previous episodes has been teetering on the edge of saying to never trust anyone outside of your immediate circle ever again. It may sound like that, but what I’m suggesting is that people do take some measures to better secure themselves. To have some level of paranoia can provide some distinct benefits in terms of cybersecurity. For one, the Internet is massive and has provided all kinds of opportunities. Some of them are good, but in some cases it’s really bad. As I’ve said before there have been countless breaches and all kinds of information is placed at risk as a result of those breaches. A lot of people’s virtual identities have been demolished due to people and companies disregards to privacy or exercising security measures. Second, while being paranoid is often seen as a negative thing, the idea of being a little paranoid can keep you on edge. And that level of uncomfortableness can pay off drastically. Yes, it’s not seen as a good state of mind on the surface, but it can help you to exercise caution and take measures into your own hand. It’s why I recently talked about why it’s worth seriously considering other more advanced security measures. After all, there is a good chance that even secure sites will get breached and you’ll need to find ways to protect yourself. The final argument I have for why paranoia helps us is that it’s another security measure in of itself. As I’ve suggested above, being cautious of things around us will push us to be more proactive. We will consider advice like tightening up our security further rather than brush it off. In a sense this also changes our overall approach to relationships. We place barriers up and in a sense that can enhance relationships as it takes more effort for us to trust people. My point is that while paranoia can be blown out of proportion, having some of it in our lives can help us in many cases. It forces us to look at our security, but also the relationships that we have. We can assess the quality of certain measures and have second thoughts on our actions and who we trust. So stay paranoid, it may come in handy sometime.

Another security measure I’ve talked about is two-factor authentication. Paired up with a Virtual Private Network (VPN), you’ll have a tighter security than most people. But while there’s been a lot of talk of two factor authentication, this technology is not really anything new. This technology has been around for a long time but is now coming to the surface because of the number of attacks and breaches we’ve gone through. Both on a business and individual level. So why are people talking about this technology? Well what I mentioned above is part of the reason, but it’s also worth looking at other considerations. First the one-factor authentication method is questionable. This the typical provide a password and a username. It’s easy and convenient, but on a cybersecurity standpoint it has many drawbacks. A password as we’ve seen is as strong as how we make it. If it’s an obvious password, people will crack it. Even if your password is a bunch of mixed numbers and letters, if you use the same password across multiple sites, people can access a lot of information if they ever crack it. What’s also worse is that many sites offer convenience by allowing users to click on the “keep me logged in” button. This too is convenient but poses dangers as that action stores a cookie on your computer with that information. This makes it easier for hackers to get into your computer and get access to all of the passwords. The second consideration is as the name suggests, a two factor authentication provides another layer of security. It can be displayed in three ways:Through knowledge: something only you know like a username and password.Through possession: something you have on your person physically. Examples are security token, your phone, a PIN, or a card.Through inherence: another physical attribute to yourself. A fingerprint or another biometric trait. The final considerations is the ample of benefits that two factor authentication provides. Outside of the additional layer of security, businesses and individuals can get other benefits like: More productivity and flexibility: While you do have to go through an extra step to get access to anything, what step you have to take is up to you. Not only that but knowing that the site or network is more protected can ensure you fill it with sensitive information.It lowers costs: On a business level having two-factor authentication can cut costs in tech support and help desks. Why? Because most of the calls to those areas stem from password resets. With two factor authentication, it’s easy to use other measures of gaining access to other areas outside of a password and usernames. For individuals, this measure can block out hackers and others who could take advantage of you by cracking passwords.Lowers fraud: And naturally a two-factor authentication will make it tougher for hackers to get into your accounts and commit fraud or identity theft. Because of these distinct aspects and perks, it’s well worth considering tightening up your security in this fashion.

One of the best decisions that you can make to protect yourself when browsing the internet is using a VPN: a Virtual Private Network. I’ve mentioned this here and there in some of my strategies but have yet to explain them and just how powerful these are. For starters, VPN technology all started when people wanted to protect their online activities and to maintain online confidentiality. Because of this goal, VPN is the precise answer to that desire and thus it’s built specifically for that purpose. From this, it’s easy to see where you can get a VPN. That is through several businesses online that provide this tool. As soon as you buy it though, you’ll notice a lot of other distinct advantages. Here are some of them. Firstly you’ll have enhanced security. A VPN’s job is to encrypt data and keep secure and it does that extremely well. But some other advantages you might not have thought of are things like remote control and the ability to share files. Companies can get a VPN and use that store information that can be accessed remotely. On top of that you can share data for extended periods of time. It’s kind of like having your own personal cloud you can access in certain places and share it with whomever. Another advantage is that you can bypass filters and unblock websites. If for some reason you were blocked by a website, a VPN allows you to bypass that. The same applies to Internet filters. This isn’t so common on the West, but this gets a lot of use in Eastern countries where censorship is rampant. As an extra measure you can even change your IP address to another country. And finally, having a VPN will also improve efficiency and bandwidth of the network. Not only that, but it can also reduce costs too. By default, VPNs are not that expensive to maintain. And if you look to a service provider, you won’t have to worry about constant surveillance or setup. A VPN is great for those who want more security and to protect themselves from hackers. By having a good VPN, you’ll not only improve your security, but also your overall internet experience.

Even if people are staying on top of fraud, it doesn’t mean it doesn’t happen. Over the world, people are losing millions every year from these scams. Fortunately, there are many practical ways for us to work around these scammers. As a general rule, never give out money or personal details to an unexpected request through any medium. As I mentioned last episode, scammers will do anything to make their pitch seem believable and to get people to act quickly without thinking.Second tip is to do online searches. While the scammer is talking to you, they’ll scam you through various ways. Some of it can be selling products, services, investment opportunities, or may drop a company name. Make a point of searching the name of those items or company. You can also search their number to see if other people in the past complained about that number.Third is to not believe in caller ID. While people see that as a helpful feature in the past, scammers have used it now to mask who they are to appear believable. Don’t fall for it and make a point of hanging up if you answer and they start asking for money or personal details. If you think they are telling the truth, use a genuine number.Fourth is to exercise caution when dealing with people you meet online. Scammers use all kinds of websites to mask themselves. Take some time to get to know them and don’t give them your trust fully. Again scammers want you to trust them and that is the key to them conning you.Finally, whenever you’re making purchases online, make sure the site you are going to is secure. That means it has the https at the beginning  or is identified by a lock. But don’t settle with that. As I mentioned before, do some online searches, look at reviews and dig in deep. Remember, scammers get caught when we don’t act on our impulses and consider things thoroughly. Exercise caution with phone calls, do some research, and gain control of the conversation by taking things slow.  

From my last episode I mentioned the recent jury duty scam and we are handling these scams better. This much is true when you look at some of the statistics from the past two years revolving around scams. What the biggest money maker was for scammers last year was pertaining to bogus investments. This scam was where scammers promote false or misleading opportunities that offer insanely high returns. I could be going on about the various scams but you can kind of see a pattern here. While the amount of money is definitely frightening, the number of victims is smaller. It is noted that more and more people were becoming aware and reporting more complaints. But in my eyes progress is progress and like I said last episode, the fact more people are calling fraud centers is a good step forward. However this isn’t a reason to be complacent. If there is anything we’ve learned about the jury duty scam calls is that scammers are refining their pitches, using more technology to make these pitches more believable. Scammers are aware of top security questions and spend time researching people and no doubt have put together a sort of file on you based on what they’ve found. That information is stuff they collect over the years and is highly valued. So much like a marathon, don’t stop right now and keep going. It’s a long battle, but at the end, the training and the diligence will pay off in the long run.

The familiar scam now has a new twist. Instead of receiving false emails that you’ve been summoned to court for your “misdeeds”, the calls now focus on the fact that you missed jury duty for an important case. Earlier in November, the Court of Queen’s Bench of Alberta in Canada issued a warning that people were receiving these automated phone calls pertaining to this particular scam. Darryl Reuther issued the warning stating “What we want people to know is that under no circumstances does the court ever conduct robocalls or automated phone calls for any purpose.” He goes on to say “If you receive one of these robocalls relating to jury duty, or an allegation you’ve failed to appear in response to a summons for jury duty, that is a scam and is not a call from the Court of Queen’s Bench of Alberta.” But this new scam isn’t only in Alberta. Reuther noted that this scam has been appearing elsewhere seeing as the courts there have posted a similar warning to this one. Another interesting aspect though is that at no point is there a prompt for money. Comparing to those familiar emails about being accused of something, the demand for money was pretty clear. In the case of these automated calls no such request was there. Though Reuther’s theory is that once you make contact with whoever set up the robocall, that’s likely where money will start being asked. The caller is banking on that people would get flustered and wanted to argue with the “court” that the accusation is unfounded. If you receive any of these calls, hang up and report these calls to an anti-fraud center. Regardless of the situation, how this scam is handled was significantly better than the past. And while that pushes scammers to be craftier, it also means that people are catching on to how much of an impact these nefarious tactics cost.

Cybersecurity is a joint responsibility. It’s like a chain where it’s only as strong as the weakest link in that chain. As such, you want to make an effort in keeping security tight and staying up with trends and potential security threats. With that in mind, here are some tips to keep in mind for various scenarios. One tip is to have a run over of various cybersecurity terms. This is particularly geared towards kids who frequent social media often and that trend isn’t dying down any time soon. This is important because as we’ve learned social media isn’t as solid as we thought it was so it’s key to stay up to date with all kinds of trends. Examples of things to cover are things terms like catphishing (people posing as a trusted individual to lure kids into doing something they shouldn’t), and spoof ads and polls. Also talking about the implications on posting personal data like current location and how that can be a threat to personal privacy. Another area to cover is general mobile security. A lot of people have smartphones or have access to one. Therefore learning about this can be helpful too. Topics to cover are: SMiShing - That’s text/message phishing. Cover how to identify it and what to do.Apps - Discuss safe app choices and reinforce the importance of reviewing apps and getting them from verifiable sources. Also oversee app choices too.Messaging apps - overlook messaging chat groups, especially if your child is younger. On older children, tell them about the potential threats of new people joining messaging groups.Bluetooth/AirDrop (or other sharing connections) - Reinforce the habit of keeping them on when you’re using them and only turn them off when not in use.Public WiFi - Talk about Virtual Private Networks and why they’re important. One other topic to cover is smart toys. Now smart toys have gotten a bad rep lately with many exposing private data to the public. Needless to say, there still needs to be some tweaks to them. That being said, it’s not going to stop people from getting them. In this area, I’d exercise caution and do some digging first. When considering smart toys, consider the following: Ensure the manufacturer has both security and privacy policies in place.When you have the toy, turn if off when you’re not using it.If the manufacturer allows it, change the default password to something else.Check your home router and make sure it’s secure. If you can, have the router with two-factor authentication The final is discussing identity theft. Even if the average kid isn’t wealthy and depends on their parents, it doesn’t mean they are immune to identity theft. Teaching kids to be cautious and to identify online and offline threats is important. Of note discuss the following topics: Password hygiene - the benefits of changing a password regularly and talking about the dangers of sharing passwords with others.Phishing - the different kinds of phishing and how to identify them.Monitor - whenever you can, keep on eye on the accounts that children have access to. Keep an eye especially on bank accounts. There are all kinds of ways for us to better protect ourselves. But teaching our kids these important lessons can help to breed better habits for them on security. On top of that, these tips are also good for any person. Learning about these areas will also reinforce children to pick up these habits as well.

The purpose of training employees on cybersecurity is to alter habits and behaviors around certain circumstances. When you are training people, keeping them informed is one thing, but there are other tactics we can employ to ensure they get the training they need. One way to ensure this information sinks in for people is to consider these tactics for all employees. First, make the training mandatory for all new employees regardless of department or job description. You want to be creating awareness of online threats and that awareness needs to start on day one. As part of the initiation process, slip a cybersecurity course in there and ensure it covers all the key topics. Topics like data protection, internet usage, and other topics like reporting threats. Have all of these in an employee handbook. The second practice is to update and repeat training often. People don’t learn once and they’re done. In order for information to stick, you need to repeat the information on a regular basis. Learning is as much of a habit as us checking our phone first thing in the morning. How you want to cover that material again is up to you. Quiz people, set up surveys, having regular discussions, or go through the program all over again. There are all kinds of methods to consider. But on top of keeping up the training regularly, you also want to be updating the programs too. Remember that hackers are always working on finding various ways to attack people. As such, you want to make sure your information is recent and current to today's trends. The last practice is to give employees authority. That doesn’t mean promoting them on the spot or anything, but rather elevating them and letting them know how important they are. After all, employees are the very first line of defense for any security system. So by getting employee support, and making cybersecurity a core element of your culture, you can better defend against it. In order for that to happen incorporate games to keep people engaged, highlight security training achievements, and provide learning management systems which give employees the power to control their learning. And when there are threats coming that could present problems, issue company-wide emails. Let people know how much their training is going to help them in defending the company. Having strong firewalls, and antivirus software is good, but they’re only as good as the people who use the devices. Improve your employee’s training in this area and you’ll see a tighter security with the company.

It’s easy to convince people to consider cybersecurity training. If people don’t know how to recognize breaches or threats, how can you expect them to avoid them, report them or remove them? They won’t be able to. As I’ve said in the past a lot of breaches typically stem massively from people. From weak passwords, misplacing devices or leaving computers in public areas, employees are a strong source of attacks. That’s not to say employees are all conspiring to bring business down, but all of the breaches are reminders that strong technology is only as powerful as the people who use it. But the question now is what exactly should employees be trained on? Well I’ve put together a short list of what needs to be known and some key points on the subject. First is to recognize the forms of cybersecurity threats. If you want people to spot them, they’re going to need to know what to look for. Fortunately you don’t need to go into extensive training on the various viruses out there. However it’s key for people to know the basics. What you want to be highlighting is informing people on spam, phishing, malware, ransomware, and social engineering. For these topics include examples, videos, and tips to prevent these sorts of attacks. Second is to cover password security. We need passwords for everything these days and it’s important for us to make the password complex rather than easy to crack. Talk about how important passwords are and that they’re the first line of defense. Third is discussing policies on email, internet, and social media use. Browsing habits can leave companies open to various malicious software if they’re not careful. Talk about why policies are important and why specific rules are placed in them. Better yet, take time to review the current policy you have with your team and discuss changes if needed. Final key topic is identifying threats and being able to report them. Your staff is going to be your eyes and ears. All the devices they use can contain clues of potential threats. However, if you want employees to put a stop to those threats, you want to train them. Focus the training on what legitimate antivirus warnings look like, what’s considered spam content, and to be aware when unexplained errors occur and what to do with them. This is only scratching the surface, but having employees have a basic knowledge of these topics can ensure there will be less human error. And even if there is, people will be able to report it and be able to talk about it quickly

With malware attacks and stolen data being a common theme in today’s society, companies today need to put more effort in informing and educating employees. Over the years that viruses have run rampant, one of the most common themes in those stories is that employees allowed them to run rampant one way or another. They opened an email, clicked a link, or didn’t bother updating their computer. In fact one of the biggest concerns is people leaving laptops or their mobile in vulnerable places. In the end, people are either your strongest line of defense or your weakest link when it comes to handling these attacks. And even if your defenses are pretty solid, all a hacker needs is to break one link before it all comes crumbling apart. So what can we do to ensure the company we work with is in tip top shape to handle threats? Well here are five tips on how we can educate yourself, employees, and others. First make sure you communicate clearly the potential impact a breach has on the business. How bad habits like easy passwords or not logging off your computer or leaving a laptop in a public area can spell danger. Second, make cybersecurity something everyone has to take seriously. No one is immune to educational programs. That includes both management and IT staff. Even if those people already know how important it is, having those knowledgeable people in the room can help spark conversation. This also applies to employees who’ve been working with the company for a while as they likely have more sensitive information compared to greener employees. Third, hold cybersecurity sessions often. Training for cybersecurity isn’t something you do after you’ve been hacked. In fact that’s the worst time to host a session. Instead, make an effort to hold sessions regularly prior to any attack. These sessions don’t need to be time consuming, perhaps once a month hold a lunch ’n’ learn. Another option is having an online forum employees can share and discuss information. You can even consider putting together routine online surveys to quiz cybersecurity knowledge. It’s cheap, quick, and is a good way to measure people’s knowledge. Fourth tip is is issue specific rules for social networks, mobile devices, email, and browsing. Encourage culture of “safe browsing” and caution staff to have caution around unfamiliar links or attachments they’re not familiar with. On that note, if you encourage routine passwords, aim to find a balance. If you get them to change them every month, employees will start writing them down rather than memorizing them. My suggestion is change your password once every three months at the minimum. Furthermore, don’t make processes so convoluted that you’re making it harder for employees to do their work. If you add too many stops, employees will find other methods to bypass those controls. The final tip is to train employees to recognize and respond to cyber attacks. Give them a channel where they can easily reach for anything cybersecurity. From suspicious emails, unusual activity, or losing a device. Even if it’s a false alarm, having an emergency number to contact is reassuring and can stop attacks before they get too big. Despite all of these efforts, this won’t be enough to stop every single threat out there. Hackers continue to find new ways to break into systems. But at the very least, having knowledge and a more informed staff can help reduce the risk of human error causing breaches.

Outside of downloading or buying some ransomware protection, there are other ways for us to be fighting back against ransomware and protecting our data. While a lot of the attacks target small business, we as individuals aren’t immune to scam operators and their ransomware attacks. Before delving into the methods, one thing I’ll make clear is that most of these attacks have happened due to poor protection practices by employees and individuals alike. I’d recommend look at your overall behavior for how you are protecting your personal information and make changes, but also to consider getting ransomware protections tools. Outside of that, here are some other ways to prevent ransomware. In the event you are targeted by a ransomware attack, never pay the ransom. This funds attackers but also it doesn’t promise that you’ll get those files back. After all, you don’t know the person or where they operate. Why would they give the files back? Make a habit of backing up files. Having a dedicated backup drive separate from your computer ensures you can swiftly recover the files lost with no issue. It is the fastest and easiest way to get your data back. Never provide personal details over unsolicited phone calls, emails, text or instant messages. If you ever get any of these, make a point of verifying them. In an employee setting (the most common scenario) you may get a call from someone claiming to be from the IT department or some other department. In that case call up that department and ask around. Even ask fellow coworkers if they’ve gotten these unusual calls. Have at least some level of protection. Ransomware protection is ideal but also having another antivirus software and a firewall is key. Make sure you get both from reputable companies in the industry. Make a point of content scanning and filtering mail servers. Make a point of blocking and scanning attachments for known threats. Have your systems up to date with the latest patches. These patches normally come with features that work in the background that protect vulnerabilities that ransomwares can exploit. Lastly, if you are ever travelling, contact the IT department first. Definitely contact them if you plan on using public Wi-Fi. In the cases of using public WiFi make sure you have a Virtual Private Network (or VPN) on to better protect yourself.

When people aren’t scamming you through sleazy phone calls, hackers are getting into your computer and locking particular data behind an encryption and demanding money. This type of scam is called Ransomware and is one of the largest problems people face today. While in some cases, ransomware is usually targeting small or medium sized businesses, that doesn’t mean it can’t go after individuals. As such, it’s smart for not only average people, but companies to invest in some ransomware protection for their PCs. Here are some of my suggestions. First on the list is Bitdefender Antivirus Plus. For $30 a year, you get a solid antivirus software that is packed with all kinds of features that put other security suites to shame. Features include protection from malware, phishing, network threats, ransomware and other browsers. You also get a wallet for passwords, a VPN (virtual private network) to make tracking you practically impossible, and more. Second is Check Point ZoneAlarm Anti-Ransomware. For this protection you’re paying roughly $20 a year and getting a highly-effective and robust security system. It monitors and cleans up any ransomware traces in testing and has effectively stopped modern ransomware. The only catch to this tool is that it only focuses on ransomware and nothing else. Webroot is the third tool on the list and serves more as a bundle compared to the others on this list. Webroot comprises of Bitdefender, Kaspersky and many others. It bundles everything into a one-year subscription for about $20 a year. All in all, it’s cheap, speedy, and does it’s job well in providing ample protection. For those who don’t want to be paying any yearly fees, there are some free options to consider. Our fourth option is Acronis Ransomware Protection. It’s free and fights pretty well against ransomware in general. The free bundle offers 5 GB of online backup storage for securing the most important files. It also is capable of recovering any affected files and can fight against most ransomwares. I’d recommend paying for one of the three I mentioned earlier, but if you need a backup, this software can cover it. The final tool I’ll share is Cybereason RansomFree. This is also free and like Acronis, can fight against most pretty well with some passing through the cracks. In the case of Cybereason it’s any disk-encryption ransomware that it can’t detect. Of course you have to expect some drawbacks since it’s free, but outside of that, it adds another layer of protection and that’s better than nothing.

Even though we use our phones a lot for texting these days it doesn’t mean we don’t get telephone scams. Some of them can be nickels and dimes, but some scams can be our entire life savings. Scammers today will do anything to cheat people out of money with many posing as government officials. Of course there are other scams out there, but they all follow a similar structure. They claim to work for some company that you trust or they’ll send you an email asking you to call them or click a link. Even as telephone scams have become more sophisticated over time, there are still some specific characteristics that we can uncover to identify them. First of all, a scammer will work hard to ensure you don’t think much about their pitch. Their focus is to get you to continue to say yes or make you feel a certain way that you act on those emotions. That being said, even for people who have caught onto that, some go a step farther and can provide testimonials or websites to further their claim. They’re fake of course, but it can satisfy those who are thinking a little ahead. Instead of that particular approach, I’d suggest using the following identifiers: You’ve been specially selected for a unique offer.You’re getting a free bonus whenever you buy whatever they’re selling.You won a valuable prize for a contest you didn’t enter.You won money from a foreign lottery.A low-risk massive return investment offer.Pressure you into making a decision right on the spot.Use phrases like “You trust me right?” Or “We’ll charge the shipping and handling charges your credit card.”Dismiss the idea you need to verify the company they represent. As you can tell, these identifiers are all situational and it depends on the type of scam call the scammer is employing. In most cases, the methods they’ll use have a certain process around them. Here is how they’ll try to hook you: A travel package: it’s usually a free or low-cost vacation that’s advertised. The scam is there is a series of hidden costs and in most cases the vacation you paid never takes place.Credit and loans: the “credit card company” calls and offers a lower interest rate credit card. You’ll see these cropping up more in the down economy.Investment or business opportunities: They rely on the person not be financially savvy to look into the actual investment.Charities: The call is usually stressing an urgent call for donations. These appear around the time where disasters have happened recently.Foreign lotteries: Whether by phone or mail, buying a lottery ticket through those methods is illegal. All lotteries and the entries must be made in person with you physically buying a ticket.Free trial offers: A shell company is offering a free trial for a product and will often load you up with lots of products and will charge you a crazy amount of money every month until you cancel. These are only the tip of the iceberg but staying vigilant and digging further into the information provided can help you in ensure you don’t get scammed.

Last episode, I talked about how to generally identify scams where the person is posing as a government official. However one of the most common scams people experience is calls from the CRA/IRS and that’s a rather unique case. After all, if you owe the government any kind of money you know how the CRA/IRS operates can seem a little shifty. For example, in order for them to verify they are talking to the correct person they ask for the person’s SIN which is awfully similar to how scammers would operate. So in light of this, being able to distinguish between a scam and not is keeping an eye on key identifiers. For example, in some scams, people are directed to a fake tax website where you need to verify personal information. With this in mind we know the official site wouldn’t ask for personal information out of the blue since it’s mainly used as an open source database. Another key identifier is checking the URL. Not only do official websites have https (meaning it’s a secure site), but you should be familiar with the exact domain in your country. It’s also worth looking over other behavior that the tax centers portrays through various mediums. Here is a breakdown of what they do. Over the phone, they will: Verify your identity through a variety of identifiers outside of SIN. They will also be asking for your full name, date of birth, and address. They also make a point of explaining why they’re calling as well (which is usually about a specific account like collecting income tax, EI debt, etc.)Ask for specific details about the account in the event you’re asking something business related to your account.Call to start an audit process. They will never: Ask for other information outside of what’s stated above. This means they won’t ask about your passport, health card or driver’s license.Will demand immediate payments via cryptocurrency, prepaid credit or gift cards, e-transfers or other mediums.Use aggressive language or threaten you in any way.Leave voicemails that are intimidating or threatening. Over email, they will: Send you notification whenever you receive a message or document that appears in secure CRA/IRS portals. Examples of portals are things like My Account, My Business Account, or Represent a Client.Also email you links relevant to conversations that you had with an official over a call, or meeting. These links are linked to a CRA/IRS webpage, form or a publication on the site. This is the only time they’ll send links in emails. They will never: give away or ask for personal or financial info via email or ask you to click on specific links.Email you asking you to fill out some online form.Send you emails with links to refunds.Demand immediate payments via e-transfers, prepaid credit or gift cards, cryptocurrency, or other mediums.Threaten you in any way. Whenever they send you mail, they will: Ask for bank information such as the name of your name of your bank and the location.Sending you a notice of assessment or reassessment.Ask you to pay an amount owed through official tax payment methods. Examples are through online banking, paying through My Payment option on My Account, visiting a government building and paying in person, etc.Letting you know they are taking legal actions to recover money owed if you refuse to pay a debt.Write to start an audit process. They will never: Request a meeting in a public place to take a payment.Demand that you pay immediately through e-transfers, cryptocurrency, gift or credit cards, or other mediums.Threaten you in any way. Lastly if the CRA/IRS ever texts you, remember that they doesn’t use text messaging. They will not communicate to you through any kind of messenger app at all. As you can tell, sometimes the lines between legitimacy and a scam are a bit tricky, but to better protect yourself, ask the following questions: Why is the caller pressuring me to act right now? Can I be certain they’re really a government employee?Have I filed my taxes on time? I should have received a notice of assessment or reassessment stating if I owe anything.Have I received any written or verbal communication from them recently that warrants this email?Do they have my most recent contact information like address and email?Is the caller asking for information that is unrelated to what’s placed on my tax return?Did I recently send a request to change business number or business information?Do I have an installment payment due soon?Have I gotten a statement of account pertaining to money I owe to a government program like EI or Student Loans? Also remember with the CRA/IRS they want to work with you if you owe them money. They will never pressure you into paying if it affects your daily life.

You sometimes hear this in the news around tax time, fraudsters saying they represent the CRA/IRS calling you around tax time. But one other scam that’s been cropping up is one where fraudsters call stating that your Social Insurance Numbers (SINs) have been compromised. It’s then followed by an unusual request for you to tell the person to confirm your SIN to verify if it is and to get a new one. I say unusual because if the caller said your SIN is supposedly “compromised” they should already know your SIN number anyway. Not only that but the fraudsters often disguise themselves as government departments which in theory should know your SIN anyway depending on the department. Anyway despite seeming legitimate, they definitely aren’t as confirmed by anti-fraud centers. Not only that, but these types of scams are nothing new in this day and age. Fraudsters have been getting craftier every year and some of the more recent scams have stemmed from fraudsters posing as government officials. In the case of the most recent scam, this one crops up around times where there have been highly publicized privacy breaches. In most instances, the scammer will even mention that recent data breach. But naturally, we can work around these scams and there are some tips to keep in mind too. First of all we can always use logic. Like I said above, if the caller is claiming to work for the government, they should have a lot of your personal information right there. Similarly if they mention a highly publicized breach, unless it’s an actual government agency, chances are your SIN is not even related to it.Second, as a general rule you never give personal information like credit card number or SIN over the phone. You only divulge that if the person is a trusted person or you’ve initiated the call yourself.Third, if you do get an unexpected call and requests for personal or financial info, ask them who they represent and call up that organization to verify the legitimacy.Fourth, remind yourself that any reputable firm will never ask personal info without significant safeguards in place

One of the biggest issues that PPC (Pay-per-click online ad campaigns) marketers are facing is click fraud. Over the past two decades, there has been a massive marketing revolution. Marketers enjoyed the leap from newspaper and billboards to radio and TV and today they can now advertise to anyone via the Internet and social media. It’s obvious why we see fewer billboards or even companies attempting to use those methods. They’re practically relics best left in the past. But while technology has enriched everyone’s lives, careers, and respective industries in general, there are still a wide variety of problems. And one prime example of that is the PPC marketing industry. For those not familiar with PPC this form of marketing is nothing new. To give you an example of what it’s like think of it like this: You’re running a grocery store and decide you want to attract more people to your store. Instead of putting on a huge marketing campaign, you decide to buy a certain amount of leaflets promoting your store. You may even offer a discount coupon on it too. Anyway, you place these leaflets at the front of your store and around the surrounding area. After a week, you notice more people coming to your store and you also notice the number of leaflets on the stand is less. PPC works in the same fashion. Your online advertisement is the leaflet and your cost per click is how much it cost you to print that leaflet. It all sounds too good to be true right? Well the method itself is not scammy, however there is a snag with this issue. Because this new form of advertising is so powerful, there is a lot of money changing hands and it’s attracted people who will actually scam you. How will they scam you? Simple. Through something called click fraud. This activity alone costs businesses billions every year. What’s worse is that because click fraud is so easy to do, a lot of businesses are at risk. To put it into perspective how dangerous this can be, let’s go back to my leaflet example I used to describe pay per click. Of course in this scenario you are still paying for the leaflets no matter what. PPC advertising works in the same way where you are still paying for the online ad. But what if someone picks up a leaflet (i.e. clicks on an ad) and then doesn’t do anything with it? What if they pick them all up and tear them up? You’re still charged your flat rate for that advertisement you put up, however you didn’t get the lead that was assured to you. What’s worse is you’ll have to buy more leaflets or else no one will hear about your business. That is what click fraud is at its core. It’s clicking on a pay per click advertisement in order to generate fraudulent charges for advertisers. This is why it costs advertisers billions of dollars. Since 2017 1 in 5 clicks on advertisements were fraudulent and the number has been rising every month since then. It drives up advertising costs and in some cases those businesses can’t compete. PPC is designed for companies with tighter budgets and not as many resources. And those are the people who are hurt the most from this: small and medium-sized businesses. And you’d think with such a massive industry like this there is a tighter grip on this situation right? Sadly that’s not the case. There have been some address to this issue in the form of Google opening what most people call the ad quality center. Basically it’s a center devoted to monitoring ads and reimbursing advertisers who are subject to fraudulent behaviour. It all sounds amazing but it’s undercut by the fact click fraud is still extremely hard to detect. As I said, click fraud is still on the rise to this day as fraudsters are using more advanced robots to slip under the radar. So what can we do about it? Well as a consumer there is little we can do. The best behavior is honestly to not click on an ad that you’re not interested in. As a business though it’s key to look at your PPC campaigns and figure out where traffic is coming from. This sounds easy on paper but it’s trickier than you think. It involves getting the visitor data and exporting it into a spreadsheet. The catch is, you’ll likely have data from thousands or tens of thousands of people through this process. From there it’s sifting through that list to look for any kind of suspicious behavior. At the end of the day it’s a massive headache and a hassle to deal with and there is no other way around it other than checking the IP addresses and determining whether to block it or not.

Outside of virtual credit card numbers and chips, there are other precautions credit card companies take to ensure security. This one comes in the form of mobile alerts, ping notifications revolving around all kinds of things. For someone who is tight on security, this feature is a must have. The biggest feature of this is being notified within minutes if your card is being used to make purchases in another country. It also notifies you if your payment is overdue. It seems like a small feature, however it can make a huge difference. For one credit card companies aren’t always quick to flag fraud or other concerns. Yes they do get around to it, but when your customer base is massive, it can be hard to stay on top of every issue. Getting these notifications requires little effort from the company and customer alike and in a sense it gives us more responsibility over our security. The only question is how do you want to get your alerts? There are three methods with pros and cons to them here they are: First is email. The upside to this is that every bank offers these alerts so it’s really easy to get this feature. The problem is that not every person checks their email on their phone. Fraud happens incredibly fast. To make matters worse is the fact people don’t always get push notifications about emails received. And even if you do, most people likely would go numb from hearing the pinging.Second is text messages. These are better than email in that you can look at your phone and realize what the message is about to some degree. Banks have embraced this technology as well with only a few banks not supporting text messages. For a lot of people, this is the best medium since we place such high priority on texts over emails. The only catch to this though is that you’ll be getting text messages every time you make a purchase. Not only that but if you enable two-way texts you’ll need to text the company back whether the purchase is legitimate or not or else the purchase gets blocked at the point of sale. All of this can be tiring and can be annoying for some after a while if you are someone who makes a lot of purchases on their credit card.Push notifications are the last form. These are notifications that don’t ping, but they appear on your phone’s lock screen. This is the best of both worlds in that it’s not super intrusive like texts. You’re also likely to see it quickly than emails. So what’s the problem with this feature? Well the issue is that less than half the banks in the world offer this service. Of course there is ample of optimism with many people saying they want push notifications but for now it’s not something all banks support.

We’ve all seen and heard about the chips embedded in our credit and debit cards, but there is another highly secure measure we can take for our credit cards. They’re called virtual credit card numbers. This technology is relatively new but it can save a lot of headache. Particularly in identity theft. As I’ve discussed in the past, when shopping online you’re not always safe. There are so many vulnerabilities when shopping online. Part of that threat is the potential for your identity getting stollen. That’s where virtual credit card numbers come in. To save people that headache, credit card companies adopted this technology to make online shopping more secure. So how do they work? First of all, these numbers you can’t put into your wallet. Instead whenever you make a purchase online, this system will generate a series of random numbers and use that to verify your purchases. Even though the numbers are random, the number is still linked to your account. What’s also nice about this feature is that you can also protect transactions further by placing expiration dates on your virtual credit card. You can also place spending caps. These two features ensure that if someone ever gets that data, they can’t really use it. And if by some miracle they do get to make purchases, they can’t make that many. It all sounds great right? Indeed, but naturally there are still a few issues with it. First of all it can create some challenges in specific situations. Specifically if you ever need to return a purchase or dispute a charge it’ll be harder to prove since the number may not be active. It also creates complications if you’re booking travel arrangements. Hotels require you to show your credit card so in those situations you’ll need to provide your actual card to book. Outside of a few niche situations, this technology is solid and if you never have complaints about your purchases or rarely book hotels then this technology can make shopping online safer.

While credit card chips have made credit cards - and debit cards - safer to use, there are still precautions that we need to take when using them. I’m not questioning the effectiveness of these chips on our credit and debit cards. Evidence shows that there has been a significant decline of crime involving credit cards in countries that use these chips. The catch though is that this evidence only shows the decline of one specific category of credit card theft: credit card fraud. On top of that, the reality is a little more complex about the security. For one, while there is a drop-in credit card fraud, it doesn’t always equate to the card being 100% effective. There are some drawbacks to this technology. First off, the technology hasn’t been fully adopted just yet. Yes a good portion of merchants have this technology where you don’t need to insert or swipe your card. However, there are small pockets of merchants who don’t have the technology and you do need to insert or swipe your card to complete the transaction that way. But it’s also worth looking at the locations where that technology isn’t supported. Coincidentally the businesses that have yet to adopt this is where the merchants aren’t closely watching. Places like ATMs and gas pumps. Public places with minimal security and thousands use. But what if I don’t ever need to pull my credit card to make a payment? That feature can still cause trouble as individuals have scanning devices that steal RFID credit card data through the air. Some are so good all they need is a smartphone. Another aspect is online shopping too. As I mentioned in a previous episode, companies aren’t always up to speed about customer security. And with more people shopping online, thieves can still get access to the specific digits and use them. And finally, you can still have your card stolen which is still a huge concern. In cases of credit cards, a chip does little good as a thief can easily swipe or insert it to make a payment and sign the receipt with your name. Yes, it’s a lot harder to retrieve that specific card from your person, however it becomes laughably easy once a card is in the hands of a thief. While the technology is a breakthrough in security and is safer all around, there are still precautions we need to take. Consider the following: Make a habit of checking both bank and credit card statements often and ensure you recognize the transactions.Use mobile payment technologies whenever possible. They save you from bringing your physical card and your phone is a more security heavy tool than a plastic card.If you’re using RFID credit cards, get a wallet or an insert that blocks hackers from stealing data remotely. SignalVault creates a lot of RFID-blocking products worth checking.Avoid making any purchases while on public WiFi networks. If you need to buy something online while in public, make sure you have your own virtual private network to protect yourself.Lastly use virtual credit card numbers whenever you can.

Discovered in 2016, Petya is a family of encrypting ransomware that targeted Microsoft Windows systems. In 2016, we saw variants of this but in June 2017, we experienced a global cyberattack primarily targeting Ukraine. In 2016, the variants gained attention when Check Point - an IT security company - found the ransomware being active but not playing a big role compared to other ransomware that was active at the time. That being said, they did say they flagged the ransomware as the next step to ransomware evolution. They were certainly right about that as the year after that we saw an attack. On the 27th of June 2017, a major global cyberattack began using a variant of Petya. On the day of the attack, there was reported infections in Germany, France, Italy, Poland, United States, and the United Kingdom. Though the major focus was on Russia and Ukraine. Overall the attacks focused on companies with over 80 companies that were initially attacked being in the Ukraine. Out of those initial attacks, the National Bank of Ukraine was targeted. After the initial attack, 80% of infections occurred in the Ukraine with Germany being the second hardest hit with roughly 9% of infections being there. Many people believe that this attack was due to politics since the date the attack occurred was a day before Ukraine’s Constitution Day. As a side note, the name Petya refers to the 1995 James Bond film GoldenEye where Petya was one of the two weapon satellites that carry a Goldeneye. Because of that reference the Petya malware is also known as Goldeneye. As for how this malware worked, Petya would first infect a computer’s master boot record. It then overwrites Windows bootloader and trigger a restart. Once it starts back up, the payload will encrypt to the Master File Table and the user will see a ransom message demanding a payment made in Bitcoin. As mentioned there were other variants which functioned the same way. The only difference was that some messages demanded the user to grant it admin privileges. Another actived a second payload called Mischa which was a backup plan should Petya fail to encrypt any data. Mischa went to encrypt user documents and executable files instead. Initial forms of Petya was by being disguised as a PDF file attached to an email. Fortunately damages were still considered fairly low. Despite the massive damage it caused the damage was more on a productivity level as opposed to people paying out their ransom. After all, the email that was listed on the ransom screen was quickly suspended by that email provider. This meant that while computers got infected the users couldn’t even pay any money to the perpetrator.

Ransomware being the latest threat in history, this form of ransomware brought further attention to the issue at hand. While Gameover ZeuS targeted people, this ransomware cryptoworm attacked en mass. In May 2017, the world had to face off with what’s known as the WannaCry ransomware attack. The attack affected over 230,000 computers across 150 countries. Damages reported to be hundreds of millions to billions of dollars. The attack overall lasted for a few days before it was cleaned up. Going into specifics, WannaCry targeted exclusively Microsoft Windows computers by encrypting data and demanding ransom payments via Bitcoin. What was also unique about this cryptoworm is that it had a transport mechanism which meant it could spread itself automatically without people needing to click on something or perform a certain action. Though if we are to be technical with this those infected did do a certain action. That is they failed to download the patches that Microsoft was issuing. You see there was an exploit that this malware used and that the exploit was patched up in previous patches. However users who didn’t get the patches or were using older Windows systems became infected. What’s worse is WannaCry also installed backdoors onto those infected systems, opening them to more attacks in the future. The only way the attack stopped was due to Microsoft releasing emergency patches. They also found a kill switch to prevent computers from spreading further. These patches came to all computers but also was offered to older computers who had Windows XP, Windows 2003 and Windows 8. This attack showed how quickly people were on top of the situation, that being said the damage was still quite extensive. Out of the 230,000 cases, there was a reported 327 payments made to this ransomware. This totaled 51.62396539 in Bitcoin valued at over $130,000 at the time. What this scenario shows is how it pays to be prudent and aware. In most situations with ransomware, you won’t be getting that data back. This was the case with WannaCry victims who said they never got their data back after they paid their ransom. It’s also wise to get all the latest patches and updates. While some updates you may not care for, updates typically come packed with a variety of other features that often go unnoticed - like security updates - and yet are crucial to the system.

One of the biggest leaps in malware technology has been the creation of botnets. I’ll talk about them in more detail later, but one recent botnet that we have had to deal with is a botnet called Gameover ZeuS. This particular malware virus is the predecessor of the ZeuS trojan horse with a few more tricks up it’s sleeve. Created by a Russian man, people believe it was spread through the Cutwail botnet. But as far as what this trojan horse actually did was that it provided a backdoor for the Russian man - Evgenly Mikhailovich Bogachev - to steal money from peoples bank accounts. He made a point of stealing only from people who could actually afford it. How he stole that money was via the distribution of the CryptoLocker ransomware - a program I’ll talk later. Getting into the specifics, basically the malware establishes a connection to the server and installs itself on the computer. It then proceeds to disable specific system processes, download and launch executables, essentially bricking the computer so you can’t do anything. Even though this wasn’t affecting the public at large, it caught plenty of attention from police and international attention. Especially after the US Justice Department announced Operation Tovar which was designed to shut down Gameover ZeuS and block off communication and its command and control servers. They’ve also indicted Bogachev in the US for creating a network of virus-infected computers and siphoning millions from people. Because of the severity, the FBI announced in 2015 a $3 million dollar reward - the highest reward for a cybercriminal - for information about Bogachev.

Discovered around May 2011, this trojan horse made history by being infected in millions of computers. Affecting only Windows computers, this malware was downloaded as a form of a botnet while going undetected thanks to rootkit techniques. Rootkit is a new development in the hacker community. To the public it has a negative connotation to it since it’s usually a collection of malware. Rootkit is also known to be difficult to detect and uses all kinds of techniques like memory dump analysis, difference scanning and more. Getting back to ZeroAccess though, this botnet spread quickly and was estimated to be on at least 9 million systems. However those numbers vary depending on where you’re getting them. Antivirus vender Sophos stated there was only 1 million by the third quarter of 2012. Kindsight, a security firm, estimated 2.2 million infected around that time too. Regardless, this trojan horse spread quickly. But how was it able to do that? Well pair that up with rootkit techniques being tough to detect, it also had various forms of getting into computers. One attack was through social engineering. A user was encouraged to execute a malicious code by clicking on a seemingly legitimate file. It could also be hidden as another payload in a pop up. An example is the trojan horse could come in when you see a license key pop up on your screen. The second attack it uses is through an advertising network. An ad could tempt you to click on it and redirect you to a site that contains the malicious virus. The final attack could be through an affiliate scheme. A third party person gets paid for installing the rootkit on your system by whatever means. Considering the severity of infected systems, Microsoft did move to destroy the command and control network of the botnet in December 2013. However they were unsuccessful and people can still update this botnet even today. So what warranted this attack? Well it helps to understand what ZeroAccess does. And on a consumer level it does cause some concern. When a computer gets infected with the ZeroAccess rootkit it immediately starts one of the two botnet operations: click fraud or bitcoin mining. What this means is that our computer is either remotely mining bitcoins (which were valued at 2.7 million USD at the time) and generating money for the controller or it’s clicking on ads in the background without us noticing. The bitcoin mining doesn’t really cost many people, however click fraud did impact advertisers significantly with some reporting they paid $900,000 a day in fraudulent clicks. While some of us may not care so much about that, there are some other things this trojan horse does. For one it could infect a random driver and thus gain control over a operating system. Even if you’re lucky and it doesn’t infect a driver, it automatically disables Windows Security Center, Firewall and Defender. This could leave you open to more attacks in the future. While this trojan horse may be a thing of the past, we still must exercise caution. Be wary about suspicious emails or what advertisements you are clicking on, particularly where those ads are located.

Moving forward to 2010, we have a virus that was thought to be in development since 2005. With a virus that’s been in development for this long you’d think this virus caused some serious damage right? Well you would be. While this malware worm didn’t target typical users, Stuxnet did target SCADA systems. SCADA (Supervisory Control and Data Acquisition) is a high-level supervisory operating system. It was also the system that an Iranian nuclear program used. A program that people believe Stuxnet is responsible for sabotaging. Looking further at this malware though, Stuxnet actually targets programmable logic controllers or PLCs. These are systems behind automation and controlling specific machines. Because of this Stuxnet was a worm that only affected a handful of specific computers. Unlike other malware I’ve talked about, this heavily targeted Iranian computers (with a study showing Iran got the brunt of the attack with 58.85% of reports stemming from them. Indonesia was second with 18.22% of reports.) that had specific criteria. Many people look at this and say this was clearly a focused attack since it had designated targets and even behaved in a conservative manner. The worm in question often went undetected and had measures to prevent the worm from spreading en mass. It had a cap os spreading to up to three other systems. It even would erase itself by the 24th of June 2012. While this virus didn’t impact many people it created a lot of political tension. People from both Israel and United States made subtle nods to this worm suggesting they were indeed behind it. These acts were then countered by various attacks from other countries. In fact the damage Stuxnet caused sparked foreign countries attacking US banks. At the same time though, Stuxnet is a clear example that countries or individuals these days are fully capable of creating cyber weapons. Likely not in their basement all by themselves obviously, but a group could easily pull it together. I don’t know about you but that’s frightening.

In a previous episode I talked about the Code Red worm and how it disrupted servers and affected 359,000 computers during it’s lifespan. The issue was handled quite quickly, but from that worm there stemmed a variant. This variant was referred to as Code Red II or Code Red 2. Released two weeks after Code Red worm on August 4th 2001, this worm behaved in a similar fashion to Code Red. But despite behaving virtually the same way, it was dubbed a variant for a few reasons. The first identifier is the fact this worm had no function for attack. Instead it prioritized being a backdoor and leaving a system open for attacks. This makes sense when you consider last episode where I mentioned Nimda was able to spread faster thanks to this worm. The second identifier was that the worm didn’t infect computers at random compared to Code Red. Code Red 2 prioritized infecting machines that were attached to the same subnet as the machine it just infected. Much like Code Red worm, Microsoft released a patch to fix the security hole that was exploited prior to this attack. This time back in June. Though what’s important to note is that the patch would prevent further damage but the machine would still have the virus. People would’ve had to remove the worm themselves. Similar to Code Red, Code Red 2 attacked Window’s computers. This time only Windows 2000 and Windows NT. As for what the computers did when infected depends on what computer you had. Windows 2000 computers that had the virus wouldn’t obey the owner. As mentioned before the worm created a backdoor opening the computer to further attacks. The first sort of attack would be remote access to user access and control over the computer. For the computer savvy people this is a system-level compromise, a serious problem for any computer owner. Essentially the person who sent the virus to that user can have access to their operating system and be able to do all kinds of things. Like commit crimes. This can translate to that person falling under suspicion even though they didn’t commit the crime at all. Windows NT was the other computer that could be infected. Fortunately for those users both Code Red and Code Red 2 didn’t take as much of a hold on these computers unlike Windows 2000. The worst case scenario for these computers is that the computers would see crashes more frequently. Even though most of us no longer use those operating systems, worms and other viruses have become more damaging as the years have gone by. If you ever notice a worm in your computer, it’s a smart idea to not only get an antivirus program to sweep your computer but also to reformat the hard drive. Make a point of backing up your computer on a regular basis so you won’t lose as much progress either. 

Looking over 2001 one could say it was filled with travesties. After all, September 11th that year was the day the attacks on the World Trade Center and Pentagon occurred. And literally a week later, computers were hit with a virus that people believed was due to Al Qaeda. Nimda is one of the most malicious worms users had to face that year. It spread itself quickly and surpassed all damage that Code Red, or other previous outbreaks caused that year. The attention of this worm was brought attention on the 18th of September. It was a week after the bombing which was why people theorized this was done by Al Qaeda, however that theory was unfounded. It wouldn’t be until later when China allegedly admitted to this virus. This was uncovered when looking at the code and noticing China written in the code. Nimda targeted both users and servers of Windows computers. On the user end any user running Windows 95, 98, NT, 2000 or XP were targets. Servers operating NT and 2000 were targeted. How the name Nimda came to be was the reverse spelling of admin. There wasn’t any particular thematic reason for the name. But as I said before, Nimda was by far the most damaging of the worms at the time and what made it so effective was due to how it infected computers. All through 2001, the viruses had specific conditions that had to be met in order for it to spread. Nimda had five routes it could take. It could spread via: Open network shares.People browsing compromised sites.Exploited directory vulnerabilities that were solved in recent and up to date patches.Or back doors that were left behind by previous worms. Notably Code Red 2 and sadmind/IIS. This worm was devastating due to the fact it was more sophisticated than any other attack up to this point. What this says to us is that viruses have gotten stronger to the point they don’t need one specific condition that needs to be met in order to spread. But the creation and spread of these worms also shows us how unaware and unprepared we are when faced with this type of technology. The reality is that these worms could’ve been prevented. If we were more diligent about our emails and keeping everything updated we could’ve lessened the damage these viruses have caused. In a sense, all these attacks are a good thing. They serve as reminders for what we can do in the future to better protect ourselves from viruses or other attacks. We’ll be seeing this time and again with future viruses I’ll be talking about.

If Anna Kournikova and Sircam wasn’t enough, people were also bombarded with a worm known as Code Red. Though there is a bit of a relief with this worm as it attacked computers who were running Microsoft’s IIS web server. Meaning it didn’t affect the average user’s computer unless you were coding websites at the time. The worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. However it didn’t start causing damage until Riley Hassell came in and discovered a vulnerability that the worm then exploited. Since this worm wasn’t an email virus like the others, there wasn’t a particular name for this worm. Instead it was named after coincidences. In this instance the group was drinking Code Red Mountain Dew at the time that this worm exploited the vulnerability. Hence the name Code Red Worm. The worm worked slowly. It was released on July 13th, but it only started to wreak havoc on the 15th of July. The peak of its damage hit on the 19th of July where the infected hosts reached 359,000 computers. So how was this worm able to really spread? Well, again the virus spread through exploiting a vulnerability in the system and there was a patch for that particular vulnerability made one month before this virus even hit. In other words, those computers likely didn’t bother downloading that patch and suffered for not doing so. When the computer was infected, the worm spread itself using a vulnerability tactic known as buffer overflow. This tactic is basically overwhelming an infected system using a long string of arbitrary code. In this case this worm overflowed the buffer with the letter ’N’. From these causes, the worm would perform a handful of activities. First it would deface the web site it infected. Instead of a typical website you’d get a blank screen and the following message: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! Other activities the worm did during the month depended on the day. From the 1st to the 19th, the worm would work to spread itself to IIS servers on the Internet. This was why the peak of it’s infection was hit on the 19th and was then contained before it could cause any further damage. From the 20th to the 27th, users would get a denial of service attacks on many fixed IP addresses. The IP address of the White House’s web server was among those attacked during that time. This was when they brought in a professional who uncovered all of this information and took steps to prevent any more damage. From the 28th until the end of the month the worm was sleep and there were no active attacks. What’s also worth noting is that the Code Red worm was eventually followed up by a variant named Code Red 2. It behaved in a similar fashion but had different end results. I’ll expand on that virus in a future episode. While this worm was self-contained to web servers, the lesson this worm teaches us is to make sure that we stay updated on our security programs. Remember, every update whether it’s on a WordPress site, an app, or our computer typically tightens up security with more features to protect ourselves from attacks. 

2001 didn’t just have the Anna Kournikova virus. They also had a virus known as Sircam, a computer worm that infected emails through Microsoft Windows systems. At the time it only affected Windows 95, 98 and Windows Me (aka Millennium), but it still spread quite quickly. The idea behind this worm is similar to any other email virus. You’d get a standard message followed by an attachment. The attachment is what would contain the virus and if you opened it the virus would spread. But what’s interesting is how the virus worked during that process. First of all, there were eight messages the virus was designed to send. It would pick one of them and send a user the email with one of the following: I send you this file in order to have your adviceI hope you like the file that I sendo youI hope you can help me with this file that I sendThis is the file with the information you ask forOr a Spanish version of those same four phrases. Looking at it now, detecting this worm is kind of obvious since the phrases all have spelling or grammatical errors in them. Even the Spanish versions were a little off too. But due to a bug within the worm itself users rarely saw any other of the other phrases mentioned there. Instead most users got the message “I send you this file in order to have your advice.” This in turn became an inside joke amongst those using the Internet and were spammed by this email containing this string of text. But despite it being a bit of a joke, the virus affected a fair bit of computers. What was another big tell was that the file that was sent in question likely wasn’t relevant to the receiver of these emails. You see when someone opened the email and got the worm, Sircam would distribute itself and infect document files - typically .doc or .xls - at random. They would then send an email to every email in that persons address book with that particular file. So ultimately what the worm did was send users an email with a slightly broken phrase and a file that would be utterly irrelevant. However it’s due to that file that many people’s personal or private files were emailed to people who shouldn’t have gotten them. Despite all of those seemingly obvious warning signs how did this virus become one of the top 10 outbreaks of viruses? Well not only did it impact those emails, it also could spread to networks. Sircam scanned the network for computers who had shared drives and then copied itself to a machine who had an open drive or directory. Meaning that if any of your drives were on a shared network and wasn’t password protected, Sircam could get in. What followed was a Remote Procedure Call (RPC) which would go unnoticed to the average user. What an rpc is merely a subroutine procedure that’s conducted in an outside space and without the user being aware. In this case, it’s fair to say that this worm would send more emails to people without the user noticing. As a result of these two aspects, even after a year of the initial outbreak, Sircam was still one of the top 10 viruses to look out for. No one knows who the original author was or what sort of damage was done.

The ILOVEYOU virus wasn’t the last time people would experience an email virus. Wreaking havoc in the year 2000, one year later people had to face a new threat: Anna Kournikova. For those keeping up with their sports, the name of this virus is named after the same tennis player Anna Kournikova. And this was made entirely by design. Authored by a 20-year old Dutch student named Jan De Wit who called himself OnTheFly, this worm was sent out to people February 11th 2001. This was an email virus similar to ILOVEYOU and as the virus name would suggest, the email had a picture of Anna Kournikova. The idea behind this email was to trick people that the famous tennis player Anna Kournikova emailed them. What happens next is the person would open the email, and open the attached file. If the user was operating a Microsoft Windows computer, the attachment wouldn’t display the picture but rather launch a Visual Basic Script (or vbs) and forward itself to everybody in their address book. All of this behaviour is similar to the ILOVEYOU virus. Both are an email based virus targeting and spreading through Microsoft Outlook’s platform. The only big difference between these worms was Anna Kournikova didn’t corrupt data. Instead it disrupted numerous email servers across the globe. But what’s more shocking about this virus is the process in which it was created. Other viruses up to this point took a few days work to create. But that wasn’t the case for this virus. According to De Wit, he downloaded a tool kit to help him make the virus. This cut down the time to make the virus considerably. What would’ve taken a few days was squeezed into a morning. The virus was made on Sunday February 11th and was sent out the same day at about 3 pm. As for De Wit himself, he took full responsibility. In fact, when he realized what the worm actually did he turned himself in in his hometown of Sneek on the 14th of February. This was after posting a confession that he created the virus on a website and sent it out to a newsgroup. The post was live on the 13th of February. This confession also outlined his motivations for creating this virus. First was the fact he felt people hadn’t learned their lesson yet from the ILOVEYOU virus in that their security systems weren’t any better. But aside admission and the regret of the damage, he also had some external blame for people. He blamed the rate of the infection to do with people who were entranced by the beauty of this tennis player. He explained that it was people’s own fault that they got infected. For the record, De Wit also had a number of pinups on his website suggesting he was a massive fanboy of Kournikova. While the damage done overall was little (the US reported damages of US$166,000), this was an example of virus information being readily available to people. And while that toolkit was later removed by the original programmer Buenos Aires, the fact remains that this information was becoming more and more available. Not to mention more people had growing computer skills and had the ability to make these viruses.

Otherwise known as Chernobyl or Spacefiller, CIH was a Microsoft Windows 9x computer virus. It first emerged by 1998 and was highly destructive to vulnerable systems. From overwriting critical information to infecting system drives, this was the next big splash of a virus after the Morris worm. Created by Chen Ing-hau, a student at Tatung University in Taiwan, and is the CEO and founder of 8tory (a facebook memory app). At the time, the virus infected roughly sixty million computers internationally and resulted in $1 billion US in commercial damages. According to Chen, he claimed the virus was written due to bold claims from antivirus software developers that their programs were antiviral efficient. Once Chen got the virus to spread thanks in part to some of his classmates, he apologized to the school and created an antivirus program himself to stop the CIH virus. Similarly to the Morris worm incident, Chen wasn’t charged with anything because no victims came forward with a lawsuit. Though this event did usher new computer crime legislation in Taiwan. So how did this virus get the aliases Chernobyl and Spacefiller? Well for Chernobyl, the name was coined that since people knew the virus as CIH during infection. But CIH also was a reference to the payload trigger date in some variants of this virus. This trigger date coincided with the Chernobyl disaster on April 26th. How the virus got the name Spacefiller was due to the fact that most viruses wrote their code to the end of the infected file. This means that when virus like that infected a file, the file size would inflate dramatically, make it obvious that the file was infected. CIH behaved differently in that it looked for gaps in the program code and wrote itself into those gaps. As a result, this didn’t increase file size and made it harder to spot the virus. Getting into specifics of this virus, how it caused damage was by hiding in the shadows and triggering on the aforementioned date. First, the virus would overwrite the first megabyte of a hard drive with zeroes. This deleted the contents of the partition table and users could see one of two things: the machine hanging on cue, or you’d see the blue screen of death. It’s because of this particular payload that caused so much disruption and damage. After all, in March 1999, thousands of IBM Aptivas were shipped with this virus all conveniently one month away from when the virus would get activated. On top of that, Yamaha shipped software updates on December 31st, 1999 with this virus too. Because of those occurrences, there was a lot of damage done. Thankfully the author of the virus released a fix for this problem. The same can’t be said though for other variants of this virus. While Chen isn’t behind any of the variants, the variants behave in similar fashions, activating on the 26th of April. Some even activate on the 26th of any given month.

Not to be confused by the famous artist, this is a different kind of masterpiece depending on who you are talking to. First detected on 4th of February 1991 in Australia, the virus was like most other viruses around the time in that it infected the boot sector. The only thing is that no one knew their disks were infected until a particular day, similar to the Jerusalem virus. Instead of it being the 13th of October, this virus came to life on the 6th of March, the birthday of Michelangelo. Outside of his birthday, there was no other reference in the virus to the artist. Michelangelo stuck when those researching the virus noticed that it activated only on that particular day. The actual significance of this date to the author is unknown. In fact, it’s hard to know if the author intended the virus to be named Michelangelo. As for what this virus does upon activation is basically make the data on the disk irretrievable for the the average user. It does this by infecting the disks operating systems and even the master boot record in some cases. These conditions only apply if the disk inserted was on that particular date but also the PC was an AT or PS/2 computer. Though the virus was first noticed in 1991, it wasn’t until January 1992 when the virus became more well known. Apparently Intel’s LANSpool print server at the time was infected with this virus. This meant that the few computers that came out were accidentally shipped out. This resulted in the public unrest as well as expert claims. At the time, one of the biggest people to push the battle against Michelangelo was John McAfee, an anti-virus company founder at the time. Though these actions seemed to be unnecessary as there were only a few hundred of these faulty computers that were shipped. As a result, people were warned and given tips to avoid March 6th. From advice to simply not run the computer on that day to changing the clock on the computer to skip March 6th entirely. By 1997, the number of cases of data loss were non-existent. By that point most people forgot about the existence of this virus entirely. Similar to Jerusalem, no one knows the author’s name, or their intention with this virus. That being said, I’d argue that this virus along with Jerusalem virus were the first iterations of Trojan horses, a virus that would activate during certain circumstances like a date or a specific time of the day. Perhaps trojan horse viruses were first inspired by these particular viruses.

Created in October 1987, this is a virus that has worm-like behaviors but was created a year before the Morris worm ran havoc over the Internet. As such, there’s not really a classification for this virus as it’s behavior was different to worms. The only similarity it has to worms is that it likes to multiply and create files on disks multiple times. Though how it went about it was unusual. First of all, Jerusalem was a logic bomb virus. Once it was infected, it sticks to becoming a memory resident. As a result, it takes up 2 kilobytes of memory on a disk. It then starts to infect every executable and COM file that’s run on that disk. Though it avoids any command.com files. COM files specifically grow by exactly 1,813 bytes. Executable files grow between 1,808 and 1,823 bytes every time they’re infected. They’re then re-infected every time the files are loaded until they are too large to load. What’s also unusual is what the virus infects. For one, it can’t infect read-only files. So floppy disks are off the table. But the most unusual aspect about this virus is when it goes off. Out of all the viruses out there this one takes the cake for being really unique. Since this virus is a logic bomb, it goes off when you’ve “lit the fuse” so to speak. And someone lights this fuse when they load a particular disk with this virus on the 13th of October on any given year except for 1987, the year the virus was created. Once the fuse is lit it deleted any programs that were run that day and infected them. Because of all of these unusual circumstances, this virus has multiple aliases and variations of it. The name Jerusalem stuck the most because this virus was detected by students who were at Hebrew University of Jerusalem. Other names for this virus is Friday the 13th, ArabStar, 1808(EXE), 1813(COM), Hebrew University, Saturday 14, amongst others. But how did this virus get detected in the first place? Well the students spotted a subtle difference. This particular virus didn’t have any clear messaging unlike other viruses, but it did mis-capitalize words. To this day, no one knows who created this virus, or what the purpose was for it. Some people believe it was created by the Palestine Liberation Organization (PLO) to mark May 13th 1948, the day before Israel Independence Day but it’s still uncertain.

While the Morris worm was one of the biggest main stream virus, there were other viruses made around it’s time. Each one made their own impact in their own way. After all, I listed off a handful of viruses made around the time the Morris worm was around. Out of them all, the Brain computer virus is likely the most important one. After all the term “Brain” is the industry standard name for any computer virus released in its first form in the late 1980s. The original Brain computer virus was considered to be the first computer virus of its time. The virus targeted the boot sector of storage media, infecting it and replacing the boot sector with this virus. In other words if you inserted a floppy disk that was infected  with the virus, you would receive a message instead. The message read: Welcome to the Dungeon (c) 1986 Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages….$#@%$@!! There are various versions of this message but the virus always slowed the floppy disk. It also makes seven kilobytes of its memory unavailable, a pretty small amount for floppy disk standards. A floppy disk back then had 1.44 megabytes - or 1440 kilobytes - of storage space. Similar to the Morris worm, the brain was made by a man with diffferent intentions than what it did. Created by Amjad Farooq Alvi, he lived in Lahore, Pakistan when he made Brain. According to TIME magazine, he had written Brain in order to protect medical software for privacy. The idea for Brain was to target copyright infringement only and to stop it. Instead it became the virus we know today. But the Brain virus is a pretty unique one. Compared to the Morris worm and the other viruses made around this time, Brain didn’t hop from infected floppy disk to another one. Brain had cryptic message - like the Welcome to the Dungeon bit which referenced a programming forum back then - but lacked the code for dealing with hard disk partitioning. It also avoids infecting hard disks by checking the bit of the disk inserted. If it’s clear, it doesn’t infect. That’s unique because the other viruses at the time didn’t have that level of intelligence. For example the Morris worm did check to see if a floppy disk was infected, but it would infect the disk again regardless. Because of Brain’s behaviour, this virus often went undetected and people wouldn’t pay much attention to the floppy disk having low loading speed. Still, the Brain became noticeable because amongst those infected, the virus also included a phone number in order for Amjad to be contacted. After a while, Amjad and his brother working with him - I sadly don’t have his name - were swamped with angry phone calls from people who want the virus removed. Amjad explained to them his intentions weren’t malicious and helped to reverse the virus. After that, the virus ceased to be. Though one of the brothers decided to keep an homage to the virus in an unusual way. Shahid Farooq Alvi created two business: Brain NET, an internet service provider, and Brain Telecommunication Limited. Despite the bit of damage Brain did, these two businesses are still operational in Pakistan.

Over the past several episodes I’ve talked a little about computer viruses. From The Morris Worm to the ILOVEYOU virus. But there is another term to describe these types of viruses: Malware. It’s become so common that maybe some of you thought computer virus and malware were perhaps two separate things. After all, we hardly ever hear the term computer virus being used. It’s mainly malware. But anyway malware has evolved extensively over the years and I think it’s important to show the highlights and growth of malware over the past few decades. After all, if we are to better protect ourselves, understanding the development before getting into specifics will help us moving forward. Malware all started in the 1980s and 1990s. The biggest splash in this area was The Morris Worm. It was the first form of malware to spread across the internet. There were some other ones that are worth bringing up too. There was Brain, Jerusalem, Michelangelo, CIH and the Melissa virus. I’ll talk about those in detail another time. Getting into the 2000s, we saw an upgrade of malware. They were rapidly growing, effectively doubling every year. The most notable malware was internet and email worms. You had ILOVEYOU but there were others. Examples are Anna Kournikova, Sircam, CodeRed worm, and Nimda. This was also around the time where phishing and other credit card scams emerged. Since 2010 and over this past decade, malware is still prominent but it’s more so used to leverage compromised systems. Outside of the numerous breaches over the past decade you also had some other notable events. These pushed businesses to have stronger security measures. Some malware that you can look up and I will explore later are the Stuxnet worm, ZeroAccess, a Trojan horse. Not until 2013 we started to see ransomware. This was malware that locked files on a user’s computer and users had to pay a ransom to get access to that information again. One notable one was CryptoLocker, another Trojan horse. You also had Gameover ZeuS which used keystroke logging to steal login details. Some other notable ones was 2017’s ransomwares WannaCry and Petya. Lastly there is Thanatos, the ransomware that’s been released and allow hackers to accept Bitcoin payments. As you can see from the overall history, malware has evolved and has impacted the world on larger scales. Of course there are all kinds of ways we can better protect ourselves. But I find the first step to better protect ourselves is to know exactly what we are up against.

Shopping online is easy and convenient and many people make a point of doing this now. It’s because of this fact that many hackers and scammers have gone to great lengths to create sophisticated and elaborate ways to nab your credit card information. Fortunately there are all kinds of ways you can take measures to protect yourself. I’ve mentioned in a previous episode about some methods, but I’d like to include other ones that I didn’t bring up in the previous episode. Some other advice to consider are the following: First, shop with websites you trust. This means dealing with businesses that you know exist in the real world. Second, if you do shop at a new store or an unfamiliar site, be sure to have a look around the site. Is the site on social media and do they interact with their customers? Do they have any reviews? What do customers have to say about them? Check their background info with the Better Business Bureau. Make sure they don’t have any complaints about scams or history of scams. Third, be wary of to good to be true sales. While stores have been jumping on Cyber Monday, Prime Day, Black Friday and other big sales, you want to pay special attention to those prices. Sometimes those prices are way too low. Make a point of comparing the products images and price with other stores selling the exact same thing. Fourth, avoid giving out too much information. There will never be a store asking you for deep personal information. Typically stores only need an address, and some payment information like credit card number or PayPal information. If the store needs more, contact their customer service and see if you can use alternative information. If not, find someplace else. Fifth, have a mind for details. When shopping online, make a point of screenshooting the receipt or have it emailed to you. During high sales times things can get lost in the cracks. Sometimes you get the wrong item or won’t get it altogether. This tip leads into the final tip I have to say. That final tip is if something does happen, take action to ensure something gets done. Try to be helpful which means don’t call the company and start complaining to them. Let them know you’ve been waiting for a longer period of time than usual. Provide transaction numbers or the receipt they gave you.

While the number of cyberattacks increase, there have been some even bolder cyberattacks done now than ever before. For sure there have been massive breaches from various companies, but now cyberattacks are happening to banks. Cyberattacks on financial institutions have been increasingly linked to nation-states that have been causing a variety of disruptions on many levels. After all, the states that are behind the vast majority of these attacks are countries like Iran, Russia, North Korea, and China. But what’s disheartening is that the report that was released that outlines these cyberattacks noted that there were only two attacks in 2016 and 2017 that were linked to those countries. That number jumped to six in 2018. The report also talked about the growing concerns due to the vulnerable state of our financial system to these threats. Tim Maurer, the co-director at Carnegie Endowment for International Pease said: “Now banks have to defend against not only cyber criminals and politically-motivated disruptions, usually of a temporary nature, but large-scale theft pursued by a nation-state. This evolution of the threat has forced regulators and industry worldwide to shift their attention from mitigating firm-specific risks to increasingly focus on sector- and system-wide risks.” State-sponsored attacks refer to operations including direct nation-state activity and proxy activity that’s done by so called hacktivists.

The Risk Based Security research facility has been routinely publishing reports outlining various data breaches during the year. This report is based on the disclosed breaches that companies have announced which this company then releases periodically. One of the most recent reports is the 2019 MidYear QuickView Data Breach Report, which issued some pretty frightening numbers and details. To put it into perspective, the report announced that in the first six months of 2019, there have been over 3,800 publicly disclosed breaches. This totalled the number of compromised records to total roughly 4.1 billion. That’s way over half of the world population at the time of this recording. But what’s actually shocking about this is that a large chunk - about 3.2 billion - of those compromised records stemmed from eight of those breaches. The report also summarized that 70% of the breaches exposed emails and 65% of the breaches exposed passwords. Crucial information, but not as severe as addresses, social insurance or security numbers, or credit card numbers. Looking at the report further there’s some things to keep in mind. While you may be hung up about the fact that so much information was exposed from eight breaches alone, it’s key we pay attention to the bigger picture. The report mentioned that the vast majority of breaches were moderate to low severity, meaning they exposed 10,000 records or less. This is key to know because many business today assume that if they’re small, people wouldn’t bother them. The truth is that according to data, small businesses are being targeted a lot. After all, most don’t have tight security measures compared to larger companies. Today, the average cyber-criminal is lazy and will do anything to gather small bits of information. And it’s effortless to get it from systems that aren’t as robust. Overall the report outlines the importance of small businesses stepping up their security of customer information. The business sector alone accounts for 67% of all reported breaches and 84.6% of the exposed records. It doesn’t take a genius to figure that out and consumers should be pushing any small business owner to have a more robust system. And even if customers aren’t, business owners should take the initiative to have a good security system. Best of all, it doesn’t have to be anything highly complex. The report noted that misconfigured databases was a big cause. Out of the 3,813 breaches, 149 of them were from misconfigured databases. While that’s small, the report noted that amongst those breaches, 3.2 billion records were exposed. So making a point that your systems runs smoothly ought to be a top priority for businesses. Another step is ensuring people are more aware of security and get proper training. The report found that these problems that are coming up are nothing new. Quarter after quarter, year after year, the same mistakes are being made. Since January 2018, the top causes of breaches have been unauthorized access to systems, skimmers, and exposure of sensitive information have been the ongoing themes of breaches, All too often, businesses focus on the external threats while people fail to send the proper emails to the right people or aren’t simply aware of what can pose a threat. Having training in place to address a lot of these common issues can ensure there will be less breaches in the future.

From Black Friday to Prime Day and Christmas shopping, there have been all kinds of mass sales events. Every year it seems like a new record of money spent is being broken around these events. But just because these events have all kinds of insane sales events it doesn’t mean we shouldn’t be wary of our security. Here are some tips to stay on top of these events and keep yourself safe while shopping online then and for the future. First, I’d recommend getting an ad and tracker blockers. Ads these days are the gateway for hackers to download malware to your computer. You can avoid all of these by getting an ad blocker. Some recommendations are UBlock Origin, Privacy Badger and Ghostery. Second, always shop on a private browser window. This means more than just ensuring you’re using private Wifi. For a lot of browsers when you are shopping, you are given a button or menu item that’ll let you open a new window. What’s convenient about this window is that it doesn’t store cookies or any other identifying information. Third, ask yourself the question “do you really need an internet-connected device? These days all kinds of gadgets connect to the internet but it’s worth asking whether that’s needed or not. Properly functioning is one thing, but if the benefit the device brings is marginal at best when it’s connected to the internet, it might be better to find an alternative that doesn’t demand it be connected to the internet. Fourth, keep an eye on phishing schemes. During these times you’ll find all kinds of emails talking about sales events, package tracking emails and coupon codes. Make a point of paying special attention to those emails. And finally, make sure that with every store you go to you have a different password. Passwords are obviously important but if you use the same password all the time it defeats the purpose of having one too.

Even though our credit card information could be floating through cyberspace at the moment it doesn’t mean we should abandon all sense of security. We use credit cards a lot and they are a convenient tool for us to use. As a result, it’s wise to at least take some measures to protect ourselves. After all, a thief can be demoralized or move on if it takes multiple steps to reach their end goal. So what kind of measures can we take? First, I’d recommend going back to basics. When you get a new credit card, ensure you sign your name on the back. Also make a point of keeping the PIN stored separate from your card. Second, take extra steps to keep the account number private. Keep it hidden when purchasing goods in public. Never issue the information over the phone unless talking with a bank or a merchant you trust. Avoid handing the information out in an email. Even consider going digital with your credit card. Meaning paying balances online, and getting paperless statements. Third, always keep information current. Whenever you move or make any sort of changes, notify your bank before the changes are made. Also follow up with the financial institutions you deal with to make sure information is accurate. Fourth, have secure devices and networks. Never buy something while on public wifi. Make sure your computer has a firewall and ensure the software and operating system are up to date. Fifth, have a solid password and keep it secret. Obviously these are for stores that require you to have an account in order to shop which should be the only stores you deal with. Sixth, check your credit statement regularly. Whether online, over the phone, or through emails or text alerts, checking regularly to check for balances can help to find unusual activity. And finally, if you do spot anything weird, never put it off. Call your credit card company immediately. This allows them to block your card and account number. The sooner you do it the better as you’ll often be  let off the hook of paying back any of that money if you’re diligent about it.

There are a lot of misconceptions revolving around the financial world. But part of that source has stemmed from credit cards. Even though a lot of people have them, most people don’t really know how to use them or have distorted views of them. I don’t blame people though, after all, credit cards have only been around since 1950. And they came in at a time where there weren’t many financial instruments or financial lingo to understand. This means that there can be all kinds of ways of thinking that make no sense. About credit cards, but even with checking the credit scores themselves. If you’re looking for a simple answer to when you can check your credit score here it is: check it as often as you like in most circumstances. I say this because the idea that checking frequently will negatively impact your score makes no sense at all. It’s actually a common myth that’s been passed down from millions of people onto younger generations. Now the keyword to that answer I made above is most circumstances. That’s because there are situations where you shouldn’t or even need to. But not for the reason I mentioned above. To best explain the scenarios where you shouldn’t check, having a better grasp of what a credit score is helps. And to understand your credit score, you need to understand your credit report. In short, a credit report is the record of how you manage the money you are extended through various ways. These reports will mention balances, payments, accounts, and other pieces of information that lenders will use to determine whether to give you credit or not. As for what shows up on credit reports it’s a range of things but generally speaking if you were given a loan or any credit then it’s likely on your credit report. Examples are credit cards and car loans. From those balances and payment history, data is gathered and is then calculated by the various credit report companies. From there, they spit out a three digit number ranging between 300 and 850. Broadly speaking, the higher the number, the better the score and more likely people will give you credit. That being said, any credit score above 800 is really good and typically will get the best. Anything above that number is going to make little impact on improving rates. Now with that knowledge, when is a good time to be checking that score? I said above that you can check whenever you like but how often you check is mainly up to your comfort level. Some check annually while others may compulsively check monthly or weekly. Either method is good. Though I will say that routinely checking your credit score can help you in being better at budgeting. By constantly checking the score, you can get a good idea of what’s affecting your score and you can spot trends. If you decide to check your score that often, make a point of looking at the bigger picture rather than the day-to-day changes. Other times to check credit scores are around time when you’re: Getting a new credit card or applying for one.Applying for a loan.Getting a mortgage.Job searching.Building or rebuild credit.Protecting yourself against identity theft. In those scenarios, checking your score is a good idea, but there are some times when it’s not a good idea. The biggest is to do with our own emotions. While we do want to stay on top of our credit score, that number can cause a lot of stress and anxiety. If we make a point of really caring about that number, our emotions are going to be a mess. Why? Because as I mentioned above our credit score will fluctuate on a daily basis. Sometimes it’ll go up. Sometimes it’ll go down. And there won’t be a clear reason for why that’s happening. And that’s enough for some people to get stressed, worried, and anxious. So make sure when you check your score you don’t obsess over the number or get so wrapped up about it that you end up causing mental strain. Outside of that, feel free to check your score any time you like. And remember, you are entitled to a free credit report from every major credit reporting agency every year. So make a point of checking from all of them to make sure everything is accurate.

There are a lot of misconceptions revolving around the financial world. But part of that source has stemmed from credit cards. Even though a lot of people have them, most people don’t really know how to use them or have distorted views of them. I don’t blame people though, after all, credit cards have only been around since 1950. And they came in at a time where there weren’t many financial instruments or financial lingo to understand. This means that there can be all kinds of ways of thinking that make no sense. About credit cards, but even with checking the credit scores themselves. If you’re looking for a simple answer to when you can check your credit score here it is: check it as often as you like in most circumstances. I say this because the idea that checking frequently will negatively impact your score makes no sense at all. It’s actually a common myth that’s been passed down from millions of people onto younger generations. Now the keyword to that answer I made above is most circumstances. That’s because there are situations where you shouldn’t or even need to. But not for the reason I mentioned above. To best explain the scenarios where you shouldn’t check, having a better grasp of what a credit score is helps. And to understand your credit score, you need to understand your credit report. In short, a credit report is the record of how you manage the money you are extended through various ways. These reports will mention balances, payments, accounts, and other pieces of information that lenders will use to determine whether to give you credit or not. As for what shows up on credit reports it’s a range of things but generally speaking if you were given a loan or any credit then it’s likely on your credit report. Examples are credit cards and car loans. From those balances and payment history, data is gathered and is then calculated by the various credit report companies. From there, they spit out a three digit number ranging between 300 and 850. Broadly speaking, the higher the number, the better the score and more likely people will give you credit. That being said, any credit score above 800 is really good and typically will get the best. Anything above that number is going to make little impact on improving rates. Now with that knowledge, when is a good time to be checking that score? I said above that you can check whenever you like but how often you check is mainly up to your comfort level. Some check annually while others may compulsively check monthly or weekly. Either method is good. Though I will say that routinely checking your credit score can help you in being better at budgeting. By constantly checking the score, you can get a good idea of what’s affecting your score and you can spot trends. If you decide to check your score that often, make a point of looking at the bigger picture rather than the day-to-day changes. Other times to check credit scores are around time when you’re: Getting a new credit card or applying for one.Applying for a loan.Getting a mortgage.Job searching.Building or rebuild credit.Protecting yourself against identity theft. In those scenarios, checking your score is a good idea, but there are some times when it’s not a good idea. The biggest is to do with our own emotions. While we do want to stay on top of our credit score, that number can cause a lot of stress and anxiety. If we make a point of really caring about that number, our emotions are going to be a mess. Why? Because as I mentioned above our credit score will fluctuate on a daily basis. Sometimes it’ll go up. Sometimes it’ll go down. And there won’t be a clear reason for why that’s happening. And that’s enough for some people to get stressed, worried, and anxious. So make sure when you check your score you don’t obsess over the number or get so wrapped up about it that you end up causing mental strain. Outside of that, feel free to check your score any time you like. And remember, you are entitled to a free credit report from every major credit reporting agency every year. So make a point of checking from all of them to make sure everything is accurate.

The last company I want to talk about summarizes what I’ve been talking about in the previous parts. For this part I’ll focus on Friend Finder Networks, an adult dating and entertainment company that was part of the fifth largest data breach. In 2016, due to hacking and lack of security, 412 million accounts were exposed. This hack also includes the 339 million accounts on AdultFriendFinder.com and 14 million accounts that were meant to be deleted but the company held the data on their databases. Overall the data accounts for two decades worth of data from the company’s largest site. As for the information in question I’m not sure what was taken. That being said, Friend Finder Networks had another breach the year before which exposed 4 million accounts. The data taken from that was revolving around sexual preferences and whether someone was looking for extramarital affairs or not. As for what information could’ve been taken it can be vast. Usernames, email addresses, date of last visit, passwords, membership data, whether the user paid for items and more. And the reason I can only give this sort of vague information is to this date, when Friend Finder was approached about this breach, they confirmed the site vulnerability but never announced the breach of information. They’ve never publicly announced what was taken. When the reporters on the breach discussed with users about this breach, some weren’t surprised because the security was rather flimsy. To further drive that point one user signed up by putting in fake information about who they are and accessing the site with no issues. With that in mind the quality of information the hacker was able to obtain may not have been significant, but you can see themes with this story. This site is similar to a social media networking site riddled with scandals. It’s collecting information that isn’t entirely entirely necessary in order to fully experience the platform or use the service. The site has poor security measures in place and did little to bring this up to peoples attention similar to so many other companies who’ve spent months or years keeping it under wraps. And like with all of these cases, we need to learn to best protect ourselves. Have tighter passwords, be stingy about the information we give. And if you’re really that curious about something, you can always toss out fake information.

The fourth largest data breach isn’t from a bank or a social networking site but rather a chain of hotels. A cyberattack against the Marriott hotel chain managed to swipe details of roughly 500 million guests. The hack was suspected to be from Chinese hackers working for the Ministry of State Security, the country’s Communist-controlled civilian spy agency. This discovery came at a time where the Trump administration was taking steps to change policies that would impact China’s trade, cyber, and economic policies. This attack seemed to stem from feelings about the discussion that President Trump and President Xi Jinping had in Buenos Aires around that time. But I don’t believe that’s the case. Especially since the hack was discovered in September 2018 and was revealed late November, weeks before the discussion with both presidents. But setting aside the politics of this data breach, what’s important here is the damage. While you’d think data on a hotel database is limited it’s really not. Again many companies have gotten greedy about information and now store all kinds of information on their systems. In the case of Marriott hotel they store credit card numbers as most would which is fair. But when would a hotel need someone’s home address? Or in Marriott’s case passport information? On a security stand point, asking for an email address makes some sense. A company can send you promotional material, deals, or offers. But when does a hotel need to know where you live or if you flown to get here? You’re already paying for the hotel - their main purpose of business - what more could they need? I think that I’ve made my point quite clear that not all companies need to know everything about you. And while it’s almost instinct for us to give that information away freely, we need to be more conscious about the impact. After all, an email is a valuable tool for a hacker and is a gateway to all kinds of things. And if your password is easy to crack, they can take over your entire life online. So let’s all be conscious of what sort of information we give to others. Most times it’s entirely unnecessary to give.

This year has had a number of data breaches much like every other year. But the biggest one so far this year has been the breach at the First American Financial Corp. A record of 885 million records were exposed online by the end May this year. The data was eventually taken offline that same day, but peoples bank account details, social security digits, wire transactions, and mortgage data were all easily accessible on the servers of this company. The upside to this is that this information was simply available on the First American’s Web site. Meaning that it was hard to tell if fraudsters were even aware of this. Indeed this particular breach of data wasn’t exactly an attack. Ben Shoval, a real-estate developer, was looking at the site and noticed the files were all available. He notified security reporter Brian Krebs who later contacted First American Corporation about the breach. He was notified that the exposure to data was likely due to a design defect from one of their production applications. Because it was something internal, the chances that data was leveraged is much lower. Regardless, even if no real damages stemmed from this, there is still much to learn. If you ever notice something unusual, make a point of bringing it up. Especially if it's something to do with your own bank. While banks certainly put an effort to have the tightest security around, mishaps happen.

This year has had a number of data breaches much like every other year. But the biggest one so far this year has been the breach at the First American Financial Corp. A record of 885 million records were exposed online by the end May this year. The data was eventually taken offline that same day, but peoples bank account details, social security digits, wire transactions, and mortgage data were all easily accessible on the servers of this company. The upside to this is that this information was simply available on the First American’s Web site. Meaning that it was hard to tell if fraudsters were even aware of this. Indeed this particular breach of data wasn’t exactly an attack. Ben Shoval, a real-estate developer, was looking at the site and noticed the files were all available. He notified security reporter Brian Krebs who later contacted First American Corporation about the breach. He was notified that the exposure to data was likely due to a design defect from one of their production applications. Because it was something internal, the chances that data was leveraged is much lower. Regardless, even if no real damages stemmed from this, there is still much to learn. If you ever notice something unusual, make a point of bringing it up. Especially if it's something to do with your own bank. While banks certainly put an effort to have the tightest security around, mishaps happen.

Throughout  history, there have been all kinds of data breaches. These breaches have been happening more and more as time went on. But while we hear more about recent data breaches where millions of peoples data is compromised, they’re actually smaller than some of the other larger data breaches. In a series I’m calling “Biggest Data Breaches” I want to share with you five of the biggest data breaches at the date of this recording. How many were affected, how it happened, amongst other things. The first one I’ll touch on is the largest one: Yahoo. During 2013 and 2014, Yahoo was hacked into and they reported that 500 million accounts were affected. From those affected, Yahoo called customers to take protective measures to secure their accounts. While the hack was definitely disheartening, it was worse for the Web giant. During this time, Yahoo was trying to sell its core business to telecommunications giant Verizon. That deal almost fell through when they had to reveal all of the information about breaches over the years. What was troubling was in 2013, a previously disclosed attack impacted all three billion of Yahoo’s users. This was uncovered when Verizon sent outside forensic experts to asses how many accounts were affected. At the time it was surprising how Yahoo managed to not only get bought out but got away with doing this. And this sort of behaviour Yahoo exhibited has been passed down amongst other companies. Why do I say this? Because Verizon bought Yahoo in 2016, three years after that breach. It was also two years after another breath that occurred in 2014 which impacted 500 million accounts. The fact that Yahoo took that long to reveal that information is a common trend we’ll find with a lot of companies. They’ll spend months or even years before telling the public. Though they’ll have the curtesy of taking action in that moment. As was the case with Yahoo calling customers to change passwords. This is the largest data breach and what was stollen is probably still being sold around to this day. Digital thieves managed to nab names, dates, phone numbers, and passwords. This also made it easy for people to reset lost passwords to other sites if the user’s backup email is their yahoo email.

With so much information being passed around in this day and age it’s easy for things to fall through the cracks. Because of this so many people are affected by all kinds of epidemics. Information breaches, hacks, stolen identities, and more. These events are partly our fault for not being up to date with security. From easy to crack passwords to using the same password on several sites. But it’s not always our fault. Sometimes it’s pointed at the business who gathered our information in the first place. And some of these companies are massive multi-million dollar businesses. Take one case of a man who’s entire digital life was destroyed in the span of an hour. His Google account was taken over before it was deleted. Next was his Twitter account. Then his AppleID account was broken into and all of the data on his MacBook, iPad, and iPhone was erased. How could this all happen? Similar to how we may use the same password on multiple sites, companies have similar common practices. For the case of this man, how the hacker got his AppleID account (and eventually Gmail, then Twitter) was by getting into Amazon. Whenever you order from Amazon, a partial amount of numbers are shown for your credit card. Even though the hacker didn’t get the entire number of this man’s credit card, those digits are the same digits that are used for Apple to release information. Essentially those four digits that Amazon considers as unimportant to display are the same numbers that Apple uses to perform an identity verification and giving you access to AppleID, iCloud, and more. What’s saddening about this is some of this could’ve been salvaged. If the man backed up his computer regularly, he could rebuild his life easily. If he had two-factor authentication on his Gmail account he could’ve protected his Twitter account and any other social media site he was on. What this teaches us is to be careful about our security. We can take certain measures to protect ourselves, but they can only go so far. One other step we ought to take is to push companies for tighter security measures. After all, since we are entering an era of cloud computing and multiple connected devices, this scenario can be more frequent for the foreseeable future.