Posts Tagged

Cyber Security

Please Share Less Info With TikTok

Elizabeth Technology April 25, 2024

TikTok is a terrifying place. Users regularly show their entire face, cons that they’ve attended, and personal stories with too much detail to their audience. They show the inside of their apartment building and their unit number. They tag their small towns. Distinctive, unique tattoos get shown off to thousands of people, as well as the view from their front yard and what stores they can walk to. Some of the TikToks that came out of the pandemic were about remote learning, with the teacher visible on the screen. License plates and unblurred faces abound.

Even the tiniest detail can be used to turn someone’s life upside down, especially if they’re underage.

The worst part? It doesn’t have to happen immediately! Sometimes a ticking time bomb isn’t noticed until it’s already gone off. Kids posting a video of themselves violating school rules weeks later can still be shuffled up front on the feed. Ticked off a more anonymous user somehow? You’ll never know how the school found out you broke a rule. Videos of dance trends that kids wouldn’t want their parents seeing are getting sent to their parents based off of information gathered over weeks or months of posts. All of it’s online. Video is an incredibly information-rich format, and when each video is under a minute long, any one person could look through them all.

It’s no surprise people are getting their own details shoved in their face when they’re posting this much about themselves!

The easy solution? Just don’t. Don’t download the app. If you do, don’t make videos. Of course, this isn’t going to happen, so the second-best option is to always film indoors away from windows, or in generic buildings like Targets or chain grocery stores. Don’t film yourself in a distinctive school uniform or in an identifying area of said school, because sometimes all it takes is specific colors. In Las Vegas, many of the school buildings look the same, but the colors are totally distinct to each school. If a kid has posted about living in Vegas before, those colors narrow down their location dramatically.

Shia LeBeouf’s flag, and 9Gag’s ‘meme hieroglyph’

It’s dangerous to attract too much attention from certain forums. 4Chan in particular is notorious for finding the unfindable, triangulating exact locations based off of things like truck honks and light positioning. See the saga of Shia LeBeouf’s flag project, where the flag was found over and over until he was forced to put it in a featureless white room.

9Gag put a limestone pillar covered in ‘hieroglyphs’ (which were really just old memes carved into the surface) underground for future archeologists to find. 4Chan and other forums found it by cross-referencing information in the background (Spanish writing on a truck) with available limestone mines and open fields in Spanish-speaking countries and found its exact coordinates based off of that little information. They couldn’t do much about it, because it was a 24-ton piece of limestone, but they found it.

Crimes

If you post things online, someone may be able to find you given time and determination no matter what you do. The best thing you can do to avoid that determination is fade into the background, as hard as you can, and don’t post crimes or social misconducts to TikTok or social media. Even if you’re not planning on committing crimes, you should set accounts to private, don’t overshare, and don’t do things that get you online attention for the wrong reasons. Once again, TikTok is terrifying because small accounts may think they’re sharing with their friends, only to end up trending unintentionally!

Maskless groups of friends posting videos at the beginning of the pandemic were scolded for being maskless, and because interaction makes videos more likely to appear on the ‘For You’ page, those maskless videos were getting thousands of people’s worth of harassment. If they were lucky, it stopped there – if they weren’t, they’d find that their school or place of work were being told about their conduct. Post something dumb? Algorithm catches it juuuust right? Previously anonymous posts then get a glance from hundreds to thousands of people! Suddenly, it matters a lot if you’ve ever posted videos that looked bad with no context.

And More Crimes

If you’ve seen posts that said “help me find her!” with some sob story about a missed connection, this is one way of finding people who don’t necessarily want to be found. Sure, it might be legit. It might also be a particularly clever stalker using a sad story about ‘I was out of swipes on Tinder!’ to get unsuspecting ‘good Samaritans’ to help him chase some woman’s Facebook profile down. Missed Connections on Craigslist is one thing – that’s pretty anonymous, and it doesn’t usually come with a picture or video attached showing everyone what the other person looked like. Posting a missed connection to thousands of people on Reddit or TikTok is an entirely different thing. It’s effectively setting a mob after that person to get them to respond to the poster. Imagine dramatic music – this is a horror story. The same goes for Missing Persons posts – if the number is anything but a police department’s number, you should be wary of trying to help, because sometimes people run away for good reason.

Sources: https://www.dhs.gov/sites/default/files/publications/How%20to%20Prevent%20Online%20Harrassment%20From%20Doxxing.pdf

https://dataprivacylab.org/projects/identifiability/paper1.pdf

NeoPets Is Still Online, Somehow

Elizabeth Technology April 18, 2024

Neopets was huge. At 21 million users during its peak, the website was a behemoth of the early 2000s. It’s still going today! Neopets is a free-to-play digital pet game, where the user can interact with digital pets, the Neopets. Games, chatrooms, and all the usual fixings of 2000’s era children’s sites were available to users.

It was also the subject of a couple of scandals, although nothing quite as dark as Club Penguin Re-Written’s issues.

The Avatar Swap

Firstly, the biggest one: the black market surrounding rare avatars.

Like many children’s games, Neopets self-funded with website ads sprinkled here and there, right up until it was purchased by a larger company, Viacom, with some big ambitions for the franchise: everything from console games to real-life toys was supposedly on the table. They’d need more money to execute these plans, however. Additional funding snuck in, and certain items became purchasable with Neocash, which players could buy with real money!

Now pets with certain upgrades are more valuable than others because they have money invested in them – the market begins to form as soon as an update allows for pet trading. Trades weren’t an official thing by any means prior to that, all a player can do is drop off the Neopet in the Neopet pound and hope the other guy managed to snag the ‘abandoned’ pet. This feature of the game actually held back the flood for a while – no guarantee of pet? No guarantee of pay, and so trades were rarer in the early days. Still, trades happened, and finally Neopets admins allowed trading to happen officially. It allowed them to monitor the action, and the feature was very much requested anyway.

Trades: Value

Trades were about to become an issue, however. Neopets was constantly bandaging over or changing things, which left items in the lurch. New features and decorations for pets were steadily coming and going, but the old versions weren’t always taken out of the equation.

Once such change converted the formerly-unclothable pets into new, exciting, dressable ones. Most of the Neopet avatars were changed overnight with little warning. Players were disgruntled, as some pets got swapped into new categories: ‘sponge’ pets, brightly colored pets made of dish sponge material, turned into ‘mutant’ pets, a collection of tentacled and fanged creatures with a muted gray/green color palette. This is understandably upsetting! Pets that were cute became cuter, pets that were weird became weirder. The visuals on the ones that didn’t change category were still tweaked – the update added eye-shine, fur texture, and new poses to flattened original arts. However, not all of the avatars were converted! Some were allowed to keep their old art, although new art had been made for the species.

Neopets allowed players in this final category to choose whether or not to convert, and essentially created a black market for unconverted pets with unconverted art. Only a few species were allowed to stay as-is in their player’s dashboard, and any new players who created a pet of that species would be using the new art. As a result, these unconverted pets became legacy items, and their value exploded. People began trading real money for these pets, with deals set up in forums and private chat rooms. It was against the rules, of course, but when did that ever stop anyone? A tiered system that ranked pets popped up, which turned the pets into a sort of stock market! Pets had value based on what the community perceived their value to be.

Security

Admins did their best. Club Penguin had an enormous team covering a smaller userbase, while Neopets’ team was too small to focus on anything but the biggest fires.

Nowadays, the end of Flash Support means the game is frequently buggy and uncooperative with player inputs. Staff is working to move to HTML5, but the age and size of the website makes that a Herculean task. Even before then, though, it had issues. It’s initial transfer from Viacom to Jumpstart Games in 2015-ish came with a lot of lag and glitches all by itself during the move to new servers. Glitches that only made the situation with that black market worse! Now certain items could be ‘accidentally’ duplicated or deleted, and minigames were harder to play, encouraging the purchase of Neocash with real cash over grinding for points day in and day out. This is understandably frustrating for younger users.

Today, the website struggles with maintaining time – the game’s clock is about two minutes behind the real world’s time, and as a result, things like 2-Factor authentication are very difficult to use. The website can send a code, the user can receive it and try to put it in, but at that point the website sees a code from two minutes into the future and declines it. Essentially, the website’s security is broken by the grandfather paradox.

Hacks

Admins could reverse trades. But, doing so could reset an entire train of transactions if that pet was obtained illegitimately. This is obviously very annoying to players who just wanted a new shiny pet and had nothing to do with the initial theft. Responses to the issue from admins were mixed, and no one solution was universally applied. That sounds great, but every custom solution left people questioning the admins’ decisions. They seemed uncoordinated.

Even worse, hacking the website itself became a problem, and some guy created a bunch of unconverted pets via admin tools. The next few hours of gameplay for everyone were strange as the admins worked to remove the new unconverted pets from the game again, some of which were already traded far down the line. Since black-marketeering was against the rules, the community could only police itself by banning issue players or thieves from their forums, but their work was in-demand and theft would happen anyway.

Surprisingly, big external hacks seem to be pretty rare – all the hacking going on for the black market are done from inside the site, which needed the site to keep going to be worth it. Rare doesn’t mean non-existent: one very big hack got several million assorted accounts in varying levels of completeness… the database was too old to be of much use, and many passwords were missing corresponding emails. Which brings up the next point!

Dormant Users

The site never purges old, inactive users. This is a problem when the pet’s name is essentially it’s ID number – once a Neopet is named Spot, there can’t be another named Spot. Pets don’t disappear when they’re voluntarily discarded, either, they go to the Neopets pound where another player can adopt them. As such, the pet’s name adds value to the pet! Pronounceable names with no underscores, dashes, or numbers are significantly more valuable than keysmashed names in the black market.

This favors the early users who got first pick of the names, many of who then abandoned their pets as they outgrew the game. Which encourages hacking! It’s not exactly malicious, as the hackers have no idea if the original user is ever going to come back to their pet, but it’s not exactly white hat, either, because of the personal information tied to the account and all that. Rather than treating abandoned accounts like accounts, they’re being treated like a mine. This is a non-renewable resource, so when the old accounts inevitably run out, what happens next? Where does the next supply of market-fodder come from? Not to mention that it’s difficult to actually gauge inactivity from the outside– the age of the account doesn’t necessarily mean it’s abandoned!

The admins could prevent the issues all of this causes by purging the accounts, so why not do that?

Purging users means that the unconverted pets in these inactive accounts would either A) flood the market, if the team releases them to the pound, or B) disappear forever, thereby destroying the new supply of unconverted and well-named pets. The adult users have more voice than the kid users do, so they’d be flooded with complaints and negative feedback on every channel.

Sources:

https://www.polygon.com/videos/2021/5/6/22423404/neopets-future-black-market-drama

https://www.polygon.com/22334511/neopets-still-exists-black-market-cheating

https://www.vice.com/en/article/ezpvw7/neopets-hack-another-day-another-hack-tens-of-millions-of-neopets-accounts

https://theoutline.com/post/4190/neopets-was-run-by-scientologists

http://www.neopets.com/

The Worst Way To Make A Password

Elizabeth Technology March 19, 2024

There are many ways to make good passwords.

How do you make a password that barely protects you at all?

1) Use something really identifying

Using a password like “dadof4” or “kayaking” when you regularly tell people that you have four kids or that you kayak is a good way to let your acquaintances know that you might be easy to Facebook-hack. The same goes for any interest, really! If your password is a political slogan or something to do with something you own and regularly post about – like a classic car, or #vanlife – you’re in for a bad time.

2) Use a Sequence

This goes beyond something like “12345” or “2468”.  Don’t try the Fibonacci sequence, don’t try whatever the DaVinci Code had going on with that codex thing – don’t try pop-math as a password. Most brute-forcing AI is designed to try these numbers first. Trying a single instance of an eight character password in a dictionary attack takes less than a tenth of a millisecond on a reasonably powerful home-desktop computer, of course a cyber-criminal is going to put all the memorable sequences at the front of the queue.

3) Use Pop Culture

In fact, stay away from pop password references in general. Ramses2? Someone who knows you like Watchmen could guess this. EequalsMCSquared? If your buddies know you like Big Bang Theory, the password’s not good enough. There are plenty of nonsensical pop-culture references that make good passwords – so you don’t need to be using the passwords that are super obviously passwords, the passwords the characters use in the show. Just stick to the sayings or catchphrases that are somewhat obscure, and make sure it’s A) long enough and B) mixes in enough special characters to thwart brute-force AI. Don’t let your hint (if the website lets you set one) become a trivia game.

4) Make it too short

Most websites won’t even let you get away with anything less than eight characters, but in case you find a really ancient one that doesn’t have these requirements, a surefire way to get yourself in trouble is to make your password very, very short. I’m linking a better description that goes over the equation in more detail here.

The equation they use assumes it will take 0.0017 milliseconds to compute a hash, or (1.7*10^-6) seconds. Multiply that by the available character libraries: 26 (all lower- or all upper-case only), 52 (upper and lower cases), 62 (upper and lower cases and also numbers), or 80 (all of the above + special characters allowed in the password field). You multiply the character library by the number of characters in the password, and then divide all of that by two. For an eight character password written with upper and lower case libraries, the equation is this: ((1.7*10^-6)*52^8)/2 (seconds).

This is the time it takes to compute one hash multiplied by the number of characters that could be in any one spot, times the number of spots, on a regular computer. Botnets and super computers, which hackers may have access to if they’re well-funded, take a thousandth of that time. When it’s very crucial to keep bad actors out, limiting login attempts and 2FA can help hold back even the most powerful of computers – but most people aren’t going to be targeted by someone with a botnet.

Basically, what you should glean from this is that a ten-character password using all available character libraries (26 upper case plus 26 lower case plus numbers 0-9 plus special characters) takes about three years to crack on a bot-net or a supercomputer and may as well be impossible on a single desktop.

An eight-character password with the same libraries takes approximately 4 years on a desktop, minutes on that botnet/supercomputer. Still powerful, not as powerful as a ten-digit one though. An eight-character password with only lowercase or only uppercase (26 total possible characters) will take two days on a desktop, seconds on the botnet.

A four-character password with all the full character libraries takes 34 seconds on a desktop, using the equation provided.  On the botnet, it’s broken in less than a blink. The number is even worse if you’re sticking to upper or lowercase letters only. If you want a bad password, shorter ones are the best way to make problems for yourself! Vice versa, the longer a password is, the harder it is to crack. Every character adds exponential amounts of time to the botnet’s attempts.

5) Make it a Sequence with numbers

Using “Password – Password1 – Password2…” can turn into a security problem, even though an AI might not be able to guess what you’re doing right off the bat. Using “ILovePuppies2” should, in theory, not be any less secure than “ILovePuppies1” or “ILovePuppies3”. Mathematically, they’re the same number of guessable characters to an AI. However, if your coworkers know that you use a base password with numbers behind it, they could brute force your account with knowledge the AI doesn’t have, and get in.

6) Use special characters in places you won’t remember them.

Doing the bare minimum eight to ten characters with an @ or a & sign thrown in there makes you more secure. However, it also makes the password more difficult to remember. If you were online in the 2000s, you might remember LeetSpeek, wh353 3W3 T&P3 L1%3 7H12. It was awful. Entire paragraphs were unreadable because the writers didn’t have solid rules for letter replacement, and would mix in homophones for words just to up the difficulty even more.

If you don’t remember your own rules for replacement (is 2 an S, or a Z? Do you always use % for K, or can it sometimes also be X? etc.) when writing a LeetSpeek password, you’re just making an easy-to-forget password with more steps. The same goes for using special characters in general – if you know you’re not going to remember replacing A with @ or 4, you’re going to give yourself a lot of trouble by trying to force these special characters in when you could use others, like punctuation characters, in easier-to-remember spots.

LeetSpeek makes great passwords – if you’re used to it, and if you know that your word or phrase will always come out with the same replacements. If SPEAKFRIEND is always 5P34KFR!3ND and never SP34%5R13|\|D, you’ve got a good code going on. Otherwise, you may as well be keysmashing.

7) Keysmashing

Don’t do this unless you have a password manager. You’re not going to remember the keys you hit. Your browser might, but then what do you do when you’re not on your native browser? You’re stuck resetting the password. Don’t keysmash. Just…don’t. It’s a bad way to make passwords. If you’re truly obsessed with randomness in your password, a solid password manager is a great way to make sure you a) always have your password with you and b) always pick a password with peak randomness. After all, keysmashing usually makes all the characters lowercase and keeps special characters out – it’s not actually fully randomized.

8) Make it something you won’t remember at all

Having to regularly reset your password is definitely annoying – and it can lead to security gaps when users get fed up with having to hit the reset password link, go to their email, hit that link, go back to the website, pick a new password, type it in twice, wait for the two-factor authentication message to come in, yada yada. CIS recommends no more than once a year because this is so common. The frustration of having to do this song and dance every couple of weeks can lead users to write their password down – which is significantly worse than just leaving the old, strong password that they remember as it is. Regularly resetting passwords won’t improve the security of the system if the user got it right the first time, and there’s solid 2FA in place – even the FTC agrees!

9) Use a master password for everything

It’s good to have a strong password. It is not good to use that same strong password everywhere! Let’s say you subscribe to an online game website. The game website is free, and the account is purely for age verification, so there’s no payment details. Only your email and password. (This applies to online forums, too!) They don’t invest in top-notch security because there’s no real reason to, no payment details, no SSNs stored somewhere, so a hack wouldn’t destroy their users – it would just be annoying to lose save progress for games. Unless…

Unless those users use a master password that’s tied to their email for every account they have. And if a hack were to get both off some little website that doesn’t even store payment data, like they frequently do, suddenly a hacker has access to everywhere you’ve used that master password. They’ll try everywhere. Every bank, every shipping company, every streaming service. That’s why the gaming website is even a target in the first place. It’s tempting – don’t do it.

10) Don’t use Two-Factor

If you really want an unpleasant online experience, don’t use two-factor anywhere. That way, even good passwords can act like bad passwords! Consider bullet number 4 here to imagine the power of a very determined hacker. Ultimately, if something’s really, really determined – it will spend all the resources it can to get in. Using two-factor can only help you! An eight-character password with no attempt limit is not nearly as much protection as it used to be, so Two-factor is essential unless you’re looking to have a bad time.

Sources: https://thycotic.force.com/support/s/article/Calculating-Password-Complexity

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

Internet Of Things Items Can Create Vulnerability

Elizabeth Technology January 23, 2024

Internet of Things items are convenient, otherwise they wouldn’t be selling. At least not next to regular, non-wifi-enabled items. They don’t even have to be connected to the internet, and they should stay that way!

An Internet of Things item, or an IoT item, is a device that has a WiFi- or network-enabled computer in it to make the consumer’s use of it easier. This includes things like WiFi-enabled/networked washing and drying machines, ovens, fridges, mini-fridges, coffee makers, lamps, embedded lights, etc. anything can be an IoT item, if it’s got WiFi capability.

Network Entry Point

Internet of Things items, when connected to WiFi, represent a weak link in the chain. They’re poorly protected, they’re designed to favor user friendliness over all else, and they’re usually always on. You likely don’t unplug your fridge or washing machine when you go to bed – that computer may sleep, but it’s not off. You probably don’t disconnect the internet when you go to bed, either. Some devices take advantage of this, and only schedule updates for late at night so you don’t notice any service interruptions. Unfortunately, their strengths are their weaknesses, and an always-open port is a dream for hackers.

Outdated Password Policies

Internet of Things items are rarely password protected, and if they are, many users don’t bother actually changing the password from the factory default. This makes them excellent places to start probing for weaknesses in the network!

Assuming someone’s hacking into a place to ding it with ransomware, there are a number of worthy targets: corporate offices, nuclear facilities, hospitals, etc. are all staffed by people, and people like their coffee. A well-meaning coworker bringing in an internet-enabled coffee machine for his coworkers is suddenly the source of a critical network vulnerability, an open port in an otherwise well-defended network!

If the coffee machine, or vending machine, or the lights are IoT items, they need to be air-gapped from the networks supplying critical data within the center (or cut off from the network completely), the same way outside computers are. The devices are simply unable to protect themselves in the same way a PC or phone is – there’s no way to download a suitable antivirus. If something gets past a firewall, and that password’s still default or nonexistent, there’s effectively no second layer of protection for IoT devices.

Malware

For example, hacking into a fridge is not nearly as hard as hacking into an old PC. Even great antivirus can struggle with traffic coming from inside the network, and IoT devices are often missed in security checkups. After all, when McAfee or Norton or Kaspersky recommends you scan your computer, are they offering to scan your lightbulbs as well?

Once they’re in, the entire network is vulnerable. Ransomware events with no obvious cause, malware that’s suddenly deleted all the files on a server, stolen data and stolen WiFi – all of it’s possible with IoT devices. There’s more to gain than just bots for the botnet, which is why hackers keep going after these IoT items.

IoT devices are also much easier to overwhelm to gain access, even with firewalls and effective load balancing. DoSing an IoT item can be as simple as scanning it. No, really. A team in the UK found that they could shut down turbines in a wind farm by scanning them. The computers inside weren’t equipped to handle both a network scan and their other computing duties at the same time. Many user devices are in the same spot or worse!

Security

Besides turbines, items like cameras and door locks probably shouldn’t be connected to the internet just yet. A terrifying string of hacks let strangers view doorbell and baby monitoring cameras, for example, because the cameras themselves were difficult to defend even though the network was protected by a router. This is terrible for obvious reasons and class action suits were filed soon after. It even happened accidentally; Nest users would occasionally end up viewing other people’s cameras accidentally, a bug in the system that was only fixed after complaints were made. A consistent pattern is forming, here: security patches are only issued after vulnerabilities are discovered by the consumer! Any other type of programming wouldn’t get away with this without some public outcry – you shouldn’t have to become a victim of a security flaw to get it fixed.

And then there’s things that physically interact with the security features of a house, like electronic locks. There’s nothing wrong in theory with a password lock. However, electronics are not inherently more secure than physical locks, and adding in WiFi only gives lockpickers another ‘in’. Hacking the lock could lead to being locked out of your own home, or worse. Besides, a regular lock will never unlock itself because its battery died, or because you sat down on the fob while getting on your bike or into your car. If you do want a password lock, it’s better to get one that’s not network enabled.

We aren’t quite at the point where hacked self-driving cars are a legitimate issue, although the danger is growing on the horizon. Cars are also poorly protected, computer wise.

BotNets

The fridge doesn’t need a quadcore processor and 8 GB of RAM to tell you that it’s at the wrong temperature, or that the door’s been left open and you should check the milk. The voice-controlled lightbulbs only need enough power to cycle through colors. IoT items are weak. However, that doesn’t mean they can’t be used for things like Botnets, even if your main PC wards off botnet software.

Botnets are networks of illegitimately linked computers used to do things like DDoSing, brute-forcing passwords, and all other kinds of shenanigans that a single computer can’t do alone. By combining the computing ability of literally thousands of devices, a hacker can turn a fridge into part of a supercomputer. No one ant can sustain an attack on another colony, but an entire swarm of ants can!

This is another reason tech experts are worried about IoT items becoming widely used. Their basic vulnerabilities give skilled hackers the ability to ding well-protected sites and fish for passwords even if the network they’re targeting doesn’t have any IoT items on them. It’s a network of weaponizable computers just waiting to be exploited. Remember, password protect your devices!

Source:

https://eandt.theiet.org/content/articles/2019/06/how-to-hack-an-iot-device/

How to Protect Your IoT Product from Hackers

https://cisomag.eccouncil.org/10-iot-security-incidents-that-make-you-feel-less-secure/

https://www.courtlistener.com/docket/16630199/1/orange-v-ring-llc/

New Top-Level Domains

Elizabeth Technology July 25, 2023

Google recently released some new top-level domains for purchase.

What is a Top-Level Domain?

A top level domain is one of the most important parts of a website’s internet address, after the ‘root’ zone. A URL (Uniform Resource Locator) is made up of several pieces. The first part, usually http:// or https:// is the ‘scheme’, which tells your device which application it should use to open the URL. ‘www’, the part right after that part, is a subdomain – it gives your device additional information about the website, and can even be swapped out depending on the website being used (although www is very common). After that is the domain – in a website name like www . example . com, ‘example’ is the domain. In www. Google . com, Google is the domain.

After that is top-level domains – the last part of the address that use .com, .org, .gov, and others, which are just below the domain name in importance. If you type in the wrong top-level domain, you will not land on the correct website, just like if you mistyped the main domain name. Some top-level domains are controlled (only U.S. government bodies can use the .gov ending, according to CISA, and only websites in the United Kingdom use the .uk top-level domain) but others are open and available to whoever wants to use them. They don’t have to be three letters or less, either – .pizza , .tube, and .online are just some of the top-level domains one can buy. Truly, the world is an oyster!

Trouble Afoot

With all that out of the way, what has Google done this time?

The thing about top-level domains is that they have to be for sale first! There are a limited number of domain vendors, and not every domain vendor can sell every type of top-level domain. However, any established organization in the world, public or private, can apply to create and then operate a new top-level domain. They have to prove their capability, because doing that takes a lot of money and server space, but it’s possible for large companies like Google.

The problem is that a few of Google’s cool new top-level domains are A) already in existence elsewhere, and B) exist in a place where they can overlap. Google released eight new top-level domains, and two among them are also file types: .zip and .mov.

For convenience, many websites will turn links into hyperlinks. Typing in www.google.com into Word, for example, will create a hyperlink. The same goes for Outlook and Teams. This is the core of the problem – trying to reference a file you’ve saved elsewhere in online communications channels is creating an opportunity for the recipient to click on a link they didn’t mean to.

 If you mean to tell someone that they should check out the photos[dot]zip file attached to the email you’re sending, and they mistakenly click the auto-hyperlink instead of downloading the file attachment, they’re left visiting an unknown (potentially malicious) website. Or, if someone in a Teams chat group says the new photos are ready in the photos[dot]zip file in the company OneDrive, then they’ve opened their team up to accidentally clicking a link thinking it leads to the shared files. Simple statements that weren’t issues before are now security risks! A particularly clever scammer could set up auto-downloads for .zip files named the same as the website, so the victim doesn’t even realize they’re downloading malware. If their browser throws a warning, they’re likely to trust the source if they don’t know that this is a possibility. The same goes for .mov files, but those aren’t as common as .zips are.

Google has basically opened the door to a new kind of scamming, and their reasons for doing so are unclear.  

Please, Don’t Just Scan That QR Code

Elizabeth Technology April 27, 2023

The Past and Present of Random Links

Before the age of built in antivirus and user-friendly web design, it was entirely possible to wander onto a webpage that would just start downloading something malicious out of nowhere. Popups that did this were a serious problem, and many browsers responded by working in a sort of zero-trust philosophy. Firefox, for example, will tell you when a site has tried to open a pop-up, and asks you if you still want to open it. This does occasionally catch honest secondary windows (like payment portals and the like) but the great thing about that is that because it asked, you can say ‘yes, I wanted that to open’ and you’re not stuck with some horrid flashing popup dominating your screen every other time.

Aside from popups, some websites were able to either trick users into downloading things by mimicking a real website, or simply start downloading things themselves as soon as they were clicked. Separate antivirus programs were needed to combat phishing downloads alongside other website trash, as browsers can’t always differentiate between intentional and unintentional downloads. In this era of the internet, misclicking or accidentally misspelling a website URL could be catastrophic for the computer. Big hosting companies protect their hosted websites now by preventing others from registering domains that are almost the target URL, but not quite (a form of domain squatting) but this wasn’t always the case.

Furthermore, hyperlinks can be used to trick people into clicking things they’d otherwise have avoided. Remember Rick Rolling? Every trick that anyone has ever used to Rick Roll you can also be used to get you to click on, and download, something you don’t want on your computer. Disguised hyperlinks. Obfuscated URLs that re-route a couple of times to get you to lower your guard. Clickable buttons, in place of links. Social engineering. The list goes on!

The False Sense of Security

The modern web as most people browse it is a safer place than it used to be. Google’s SEO is partly to blame – users who report unpleasant website experiences or demonstrate that the website isn’t good by leaving within so many seconds of it loading will lead to that website appearing lower in the search results, until eventually Google stops letting it pop up near the top at all. Hosting services are also partly to blame – they have a monetary interest in keeping their websites whitelisted, and malicious websites screw that up for them. Plus, it’s sort of scummy. Would you want to do business with a company that passively allowed one of its clients to wreck another potential client’s car? Probably not!

Antivirus and default browser settings take care of much of the rest. But these things don’t mean the nastier parts of the web have stopped existing, they just mean it’s harder to get there without doing so intentionally. Users don’t fear clicking on links that lead to sources or Ko.Fi services because it’s been so long since that was a problem. Forum users click through links with no fear. While not a perfect breeding ground for scam links to come back (most people still know and remember the warning signs) it is a perfect breeding ground for something new built on old foundations – QR code scams.

QR Codes

A QR code is a sort of bar code that’s recorded in two dimensions (vertical and horizontal) instead of one. Almost every modern phone (and many of the outdated ones) come with a QR-reading feature built in. QR codes and code readers have a high tolerance for missing or damaged information, making it a fantastic resource for quick and easy link-loading – where a barcode is unreadable if a bar is missing, a QR code can often still be read if squares are missing or obscured. Advertisements, verification texts, digital menus, libraries, virtual queues, etc. all benefit from how simple it is to whip out a phone and point the camera at a black and white square for a few seconds. It’s even easier than typing in a link, and you can direct users to specific pages with gangly URLs without worrying how that URL is going to look on printed material – the user isn’t going to see the URL anymore, they’re going to see the QR code!

This lead to things like QR code stickers that would lead to individual GIFs or art project websites out in public, a form of easy-to-remove graffiti that still showed off some art in today’s hyper-online world. QR codes gave restaurants and their diners an easy way to see a digital menu without having to type in a URL. It also made Rick Rolling easy again.

You’re probably already seeing the issue here: when users can’t see the URL, they have no way of knowing where they’re going to end up when they scan it. A hyperlink’s true destination is visible to a user when they press and hold on mobile, or hover their mouse pointer over it on desktop – the same is not universally true for QR codes (some phones and programs show the link before asking you to continue, but many do not). The scam potential for these codes is off the charts because many do not understand them as ‘links’ but as ‘scannable objects’.

Discord Scam

For example, the recent slew of Discord scams! Essentially, what happens is a scammer compromises an account, either by password brute-forcing or by social engineering, and sends messages to everyone on that person’s friend list saying things like “ummm idk if this is really you or not but it was your name and it says you sent a girl gross stuff like wtf? Check the #shame tag and you’ll see it. I’m blocking you just in case, I can’t be friends with a predator”. They then send a link inviting you to join the Discord server mentioned in the message, and block you so you can’t continue to chat with them. As this is a compromised account and may be pretending to be someone you actually speak to on the regular, this can be very alarming. The first instinct is to join the server so you can defend yourself against whatever allegations have allegedly been made in that server! It presents you with a QR code to join the server that this compromised account has sent to you so you can clear your name and get your friend to unblock you, but when you scan it, it tricks your phone into giving over the login credentials for your Discord, compromising your account and continuing the scam.

This is the sort of scam that happened all the time before people grew wary of random DM’ed links! Here we are again, re-learning not to trust people that talk like bots and the things those bot-people/compromised accounts send us.

Assigning Macros

Elizabeth Technology April 25, 2023

If you’re getting sick of having to, say, embolden and italicize words in your program over and over, have no fear – you can reduce the number of steps you have to take to do that (and many other tasks) using macros!

How To Make a Macro

The process is simple! To add a macro to a button on your mouse for use across the computer, follow these steps as listed by Microsoft (this document has pictures): https://support.microsoft.com/en-us/topic/how-do-i-create-macros-bd0f29dc-5b89-3616-c3bf-ddeeb04da2fb

To do so in Word, here: https://support.microsoft.com/en-us/office/create-or-run-a-macro-c6b99036-905c-49a6-818a-dfb98b7c3c9c

And Excel, here: https://support.microsoft.com/en-us/office/quick-start-create-a-macro-741130ca-080d-49f5-9471-1e5fb3d581a8

As with anything you do that could change the functionality of a button or mouse click, be very careful when assigning buttons certain actions! You don’t want to remove your ability to do something important (like right-clicking) by adding a macro that closes Word every time you try to paste something without using the keyboard.

Macros as a Malicious Entity

Programs like Word and Excel can come with macros designed to run as soon as the program is opened, and not every macro is harmless. Some do things like making hundreds of new documents, some can corrupt your drive, and most of them try to take over the other documents on the computer when they’re opened. This is why recent editions of Microsoft Office products warn you that you shouldn’t open a document outside of Safe Mode unless you trust it’s source. An ordinary-looking .XLSM document can completely brick your hard drive if it comes with the macros to do it!

This is also why you should always verify the sender of an attachment before you open an attachment, even a .pdf. Malicious attachments using macros can be used to steal the contents of the target’s email address book and send those addresses malicious emails too, continuing the cycle and spreading the document until it gets somewhere with valuable information. An early version of this, a macro called “Melissa”, would bait users into opening the document in Word, and then hi-jack their Outlook to send it’s bait email to the first fifty contacts in the victim’s address book as the victim (read more here at the FBI site: https://www.fbi.gov/news/stories/melissa-virus-20th-anniversary-032519). Melissa itself may be obsolete, but the technique sure isn’t.

Worse, because the macro is coming from an application, it’s already compatible with anything that’s using that application. Mac is not spared this time. A malicious macro can open hundreds of garbage word docs on a Mac too!

Consider a Password Manager

Elizabeth Technology April 13, 2023

Alongside 2FA, making a difficult-to-guess password can stop a staggering number of cyberattacks, both brute-force and engineered.  But how exactly do you do that? The latest recommendation for a password has jumped from 8 characters to 10, 12 if you really want to play it safe, and a scrambled set of characters that meets all of a decent administrator’s password requirements is going to be difficult to remember almost no matter what! If you do make a good, memorable one, you shouldn’t be using it anywhere else. It’s also unfeasible to just reset your password every time you need access to a site. What can you do?

Get a Password Manager

Password managers bridge the gap between the passwords you want to make, the ones you can remember, and the password that meets all of the site’s requirements. This is such a common problem that it’s even built into some browsers! Firefox will save your passwords securely for you, although you can always download the third-party extensions of your choice in the Mozilla add-ons page (https://addons.mozilla.org/en-US/firefox/extensions/). While Chrome also has a built-in password manager, if your Google account gets hacked, all of your passwords just went with it, so in their case it’s better to go third-party.

You can download reputable password managers such as LastPass or 1Password just as easily and perhaps more securely – in all of LastPass’s existence, it’s never had its password database breached (although their dev environment had a security incident a little while ago).

DO NOT “Just Write It Down”

If you think just writing the password down on a Post-It is good enough, don’t be so sure! Social engineering is probably the easiest way to get into someone’s computer. If someone wanders into your office when you’re not there, and they spy your password written on a Post-It stuck to your desk, then boom – they’re in.

Similarly, this actually isn’t a great way to keep track of your passwords even if nobody else has access to it. For example – if you keep a Word Doc with a bunch of passwords in it, assuming nobody is going to be able to

A) find it or

B) identify which passwords you used where (assuming you didn’t write down your username with them) you can also assume you’re not going to remember them either!

If you don’t use them frequently, you’re far more likely to forget what goes where. Oh, good, a random bunch of numbers and letters just titled ‘game account’ on the front of a post-it that’s lost all it’s sticky powers. Where does it go? What is the username? Does it need a username, or just your email? Good luck figuring that out!

But the Manager is Always On!

Yes, these password managers are always prepared to fill in a blank on a webform. If you leave your office without putting your computer to sleep, then hypothetically someone could access an account of yours using one. However, this is easy to fix. If you’re not putting your computer to sleep or locking the screen when you leave for extended periods of time, you should! If you’re not doing that because your password is too long to type in every time you get up, consider setting up a login PIN instead to remove that barrier – a regular person isn’t going to be able to guess every permutation of four-to-six numbers (and sometimes letters depending on your admin’s settings!) in a reasonable amount of time. By locking the desktop, the manager’s convenience can’t be used against you. It’s more secure, anyhow. It’s actually a requirement for companies that follow HIPAA standards!

What is a VPN?

Elizabeth Technology March 23, 2023

Note: this is not meant to act as a buyer’s guide. 

If you’ve been on Youtube in the past couple of years, you might have noticed an uptick in sponsorships from VPNs, making all sorts of claims. But what does a VPN do?

Location Services

Sometimes content published online is kept exclusive to certain countries. Canada, for example, has a rule that a certain percentage of their entertainment has to be made by Canadian artists, and Germany’s copyright laws are notoriously strict. VPNs can allow people to access this content as though they were from where it was made, instead of where they are actually at. American music videos and uncut Hulu channels for everyone!

Privacy

VPNs are usually advertised for privacy purposes. And most work pretty well! Instead of sending the information straight through to the ISP, the VPN anonymizes the data to get it to the server. From that server, your request goes through to the content you wanted, and the content comes back to you anonymized. The ISP, which is usually responsible for restricting content, can’t see this data and therefore can’t restrict it. For privacy concerns around the ISP, that anonymizing is great.

It doesn’t stop there, either: If the VPN is encrypting the data coming to and from a coffee shop’s WiFi for your computer, it’s hiding it from anyone who has access to that network – which might be more than the ISP. If all it takes is the password on the receipt to get into the network, then in theory almost anyone who finds a receipt or buys a drink can access the network. This could become a problem if that person knows more about WiFi than the owners of the shop do.

But Branding?

How is it possible for there to be so many? Don’t they all do the same thing? Kinda. That’s also why ads for VPNs have been so incredibly choking. The barrier to entry to sell one as a service is actually pretty low. Depending on where the host buys their server space, they’re also low maintenance. Given those two conditions, the only thing that could keep someone from making money off of one is their visibility. The market’s flooded, so right now the winner of the race is the one with the most advertising dollars.

Does it do Everything?

For advertising concerns, a VPN is not the be-all end-all of privacy. There are so many devices in the average house (your phone, your WiFi enabled washer, your computer, your Smart TV, your gaming console…) that advertisers will still have an idea of who you are, which doesn’t even include things like cookies. When you’re using Google, every Google service knows what you’re interested in, unless you’re signed out and incognito – so searches you made could be used to tweak the content that appears on your Youtube’s ‘recommended’ page. Google allows you to turn off ad customization – that doesn’t mean they aren’t keeping the info.

 Accounts

If you have an account with, say, Amazon, they already know what you’re looking at on their site because it’s linked to the account. Or if you have a digital assistant that you regularly search or browse with, the VPN can’t help you. If you’re really interested in browsing privacy and not accessing Geo-locked content, you could download something like DuckDuckGo or Ecosia (this is not a buyer’s guide, products only used as examples). These services don’t store data on your search habits. Privacy-focused search engines aren’t foolproof, but if your main concern is privacy from advertisers and you don’t want to spend money on a subscription…

Where’s The Data?

There are also concerns about the many different VPNs themselves: you are partially anonymous to your ISP (they still know you’re using them, and for approximately how much data) but you are not anonymous to the VPN. In some cases, the website on the other end expects non-encrypted data, which means that the VPN literally cannot connect you without un-encrypting that data. To be fair, most browsers will warn you about unencrypted websites. But if you insist because you think the VPN’s keeping you safe, this is important information to know. Besides that, the VPN itself can sell your data. Or get hacked! The barrier to entry is very low, which is why this is a problem!

Long story short, when Youtubers are trying to sell this service, they don’t tell you why you might not need it. It’s not a good idea to connect to public WiFi without some sort of protection. VPNs can help. VPNs are a good service if you really want to watch the UK version of The Office. However, VPNs are not an invincible shield, and they’re not always capable of end-to-end encryption. They’re a security tool, not a comprehensive solution to your privacy woes.

As always, do your research on the brands you’re considering before jumping into it headfirst.

Remember, this is an overview of VPNs as a service, not a buyer’s guide!

Sources: https://www.pcmag.com/news/what-is-a-vpn-and-why-you-need-one

https://en.wikipedia.org/wiki/Virtual_private_network (Wikipedia here serves as a full explanation of what they are without the potential bias of money)

Why You (Probably) Don’t Need A VPN

Preventing Piracy Is Hard

Elizabeth Technology March 21, 2023

It’s frustrating to have someone else steal your work. That’s why piracy is one of the biggest scourges of entertainment today. Yet bootlegs and copyright infringement still happen, and sometimes undetectably. So, if the person pirating is outside your legal reach, how do you keep them from enjoying your work for free?

Create anti-piracy measures, of course.

Tainting the Well

Cher briefly released songs on LimeWire that played very quietly, in an effort to get the listener to jack up their volume. After a little bit, she’d shout at you to stop stealing at the normal volume band – which was now at max volume. This didn’t last very long, because downloads had names on the site, but there was no limit to what artists would do to keep their intellectual property in their own hands. Ironically, the worst LimeWire users themselves were more likely to protect property than the artists! Trolls would put some strange things on otherwise normal tracks, and some people would rather go to iTunes than play download lottery. They tainted the well themselves.

Shame

People tend to be more embarrassed that they got caught with their hand in the cookie jar than they are about the pirating itself. Asking about the bizarre version of the song you downloaded would out you as a pirate. And music wasn’t the only industry to do this.

A whole bunch of games would give strange errors or messages to get pirates to ask about it online. Of course, the pirates are the only ones who got these messages, so creators and other fans alike knew they’d pirated the software.  That was the punishment: everybody on the game’s Steam page knew you were a pirate! They then either self-exile or double down on the pirating by removing themselves from the forum to avoid the shaming.

Anti-Piracy software

Games have great examples of anti-piracy in action. Piracy detection used to be pretty hard – all it took was a blank disc and a PC that already had the game on it in the early days to make copies. Games would use physical wheels or artifacts on the inside of the game’s packaging to be sure you had a legit copy – if you couldn’t answer a question pre-programmed into the game, you didn’t have the original package, and you couldn’t play. Then, as computers got better and games could take up more space, programmed anti-piracy kicked into a higher gear. Anything and everything went – it was the pirate’s problem if they didn’t like it. Earthbound, a game that was already difficult, would crash at the final screen and then delete all your save data. So would Spyro, although Spyro would warn you that it thought you were playing a bootleg copy before you got to the end.

The goal was to frustrate the pirate, which would eventually prevent piracy in its own way. Some developers went to guilt, instead: Alan Wake just slaps an eyepatch with the Jolly Roger on your character to remind you that you’re playing a pirated copy and you should feel bad. So does Quantum Break.

Business Software License Checks

There are many obvious downsides to pirating something like Excel. Namely, if something goes wrong, what are you going to do? Contact the vendor? With your illegitimate copy? Good luck with that. It doesn’t help that Microsoft runs audits, too – if they detect a license or a product key not in line with what they’re expecting, they’ll know you’re pirating. If another copy of Word tries to interact with an illegitimate copy, they’ll know you’re pirating. Basically, if you’re ever connected to the internet with a cracked copy of Office software, they’ll know. There are so many free alternatives that pirating Word seems foolish.

Microsoft is doing it for more than the money, too. There’s a growing host of people online who would just love to scam some businesses into downloading malicious software, alongside illegitimate copies of Word. Assuming the business owner genuinely believes they’re getting real copies of Office, Microsoft’s good name is tainted!

CAP Software

Pirating early-release discs destroys faith in reviewers. However, early reviewers are also giving you a lot of free advertisement, so it wouldn’t be very smart financially to just cut them all off. Instead, what they use is CAP software, which stores a code in the file. If the file is leaked or copied, the code is present, and the studio knows exactly which reviewer to cut off. Versions of this using tones mixed into the audio of the movie and visual watermarks are also common! Everyone benefits: the studio still gets it’s promotion, the reviewer gets to review the movie, and the viewer gets some early information about what they want to watch, legitimately. The pirate is slapped with a fine and everyone moves on.

Sources:

https://www.thegamer.com/clever-anti-piracy-techniques-in-gaming/

http://jolt.law.harvard.edu/articles/pdf/v07/07HarvJLTech377.pdf

https://www.forbes.com/sites/forbestechcouncil/2019/06/27/four-data-driven-ways-to-combat-software-piracy/?sh=58e23a84320e

‹  Older posts