Posts Tagged


Internet Of Things Items Can Create Vulnerability

Elizabeth Technology January 23, 2024

Internet of Things items are convenient, otherwise they wouldn’t be selling. At least not next to regular, non-wifi-enabled items. They don’t even have to be connected to the internet, and they should stay that way!

An Internet of Things item, or an IoT item, is a device that has a WiFi- or network-enabled computer in it to make the consumer’s use of it easier. This includes things like WiFi-enabled/networked washing and drying machines, ovens, fridges, mini-fridges, coffee makers, lamps, embedded lights, etc. anything can be an IoT item, if it’s got WiFi capability.

Network Entry Point

Internet of Things items, when connected to WiFi, represent a weak link in the chain. They’re poorly protected, they’re designed to favor user friendliness over all else, and they’re usually always on. You likely don’t unplug your fridge or washing machine when you go to bed – that computer may sleep, but it’s not off. You probably don’t disconnect the internet when you go to bed, either. Some devices take advantage of this, and only schedule updates for late at night so you don’t notice any service interruptions. Unfortunately, their strengths are their weaknesses, and an always-open port is a dream for hackers.

Outdated Password Policies

Internet of Things items are rarely password protected, and if they are, many users don’t bother actually changing the password from the factory default. This makes them excellent places to start probing for weaknesses in the network!

Assuming someone’s hacking into a place to ding it with ransomware, there are a number of worthy targets: corporate offices, nuclear facilities, hospitals, etc. are all staffed by people, and people like their coffee. A well-meaning coworker bringing in an internet-enabled coffee machine for his coworkers is suddenly the source of a critical network vulnerability, an open port in an otherwise well-defended network!

If the coffee machine, or vending machine, or the lights are IoT items, they need to be air-gapped from the networks supplying critical data within the center (or cut off from the network completely), the same way outside computers are. The devices are simply unable to protect themselves in the same way a PC or phone is – there’s no way to download a suitable antivirus. If something gets past a firewall, and that password’s still default or nonexistent, there’s effectively no second layer of protection for IoT devices.


For example, hacking into a fridge is not nearly as hard as hacking into an old PC. Even great antivirus can struggle with traffic coming from inside the network, and IoT devices are often missed in security checkups. After all, when McAfee or Norton or Kaspersky recommends you scan your computer, are they offering to scan your lightbulbs as well?

Once they’re in, the entire network is vulnerable. Ransomware events with no obvious cause, malware that’s suddenly deleted all the files on a server, stolen data and stolen WiFi – all of it’s possible with IoT devices. There’s more to gain than just bots for the botnet, which is why hackers keep going after these IoT items.

IoT devices are also much easier to overwhelm to gain access, even with firewalls and effective load balancing. DoSing an IoT item can be as simple as scanning it. No, really. A team in the UK found that they could shut down turbines in a wind farm by scanning them. The computers inside weren’t equipped to handle both a network scan and their other computing duties at the same time. Many user devices are in the same spot or worse!


Besides turbines, items like cameras and door locks probably shouldn’t be connected to the internet just yet. A terrifying string of hacks let strangers view doorbell and baby monitoring cameras, for example, because the cameras themselves were difficult to defend even though the network was protected by a router. This is terrible for obvious reasons and class action suits were filed soon after. It even happened accidentally; Nest users would occasionally end up viewing other people’s cameras accidentally, a bug in the system that was only fixed after complaints were made. A consistent pattern is forming, here: security patches are only issued after vulnerabilities are discovered by the consumer! Any other type of programming wouldn’t get away with this without some public outcry – you shouldn’t have to become a victim of a security flaw to get it fixed.

And then there’s things that physically interact with the security features of a house, like electronic locks. There’s nothing wrong in theory with a password lock. However, electronics are not inherently more secure than physical locks, and adding in WiFi only gives lockpickers another ‘in’. Hacking the lock could lead to being locked out of your own home, or worse. Besides, a regular lock will never unlock itself because its battery died, or because you sat down on the fob while getting on your bike or into your car. If you do want a password lock, it’s better to get one that’s not network enabled.

We aren’t quite at the point where hacked self-driving cars are a legitimate issue, although the danger is growing on the horizon. Cars are also poorly protected, computer wise.


The fridge doesn’t need a quadcore processor and 8 GB of RAM to tell you that it’s at the wrong temperature, or that the door’s been left open and you should check the milk. The voice-controlled lightbulbs only need enough power to cycle through colors. IoT items are weak. However, that doesn’t mean they can’t be used for things like Botnets, even if your main PC wards off botnet software.

Botnets are networks of illegitimately linked computers used to do things like DDoSing, brute-forcing passwords, and all other kinds of shenanigans that a single computer can’t do alone. By combining the computing ability of literally thousands of devices, a hacker can turn a fridge into part of a supercomputer. No one ant can sustain an attack on another colony, but an entire swarm of ants can!

This is another reason tech experts are worried about IoT items becoming widely used. Their basic vulnerabilities give skilled hackers the ability to ding well-protected sites and fish for passwords even if the network they’re targeting doesn’t have any IoT items on them. It’s a network of weaponizable computers just waiting to be exploited. Remember, password protect your devices!


A Phishing Refresher

Elizabeth Technology December 14, 2023

How To Avoid it in the First Place

There are a few key tips that give away phishing scams. Firstly, is there a sense of urgency? Your utility companies aren’t going to call and say they’ll shut off your water without at least a few mailed reminders that your bill is due! The same goes for your bank. If they demand that you resolve a problem right then, right there, out of the blue, it’s probably a phishing scam (if you’re nervous it’s not a scam, call the alleged company using their number off of their real website). This goes for both phone and email phishers.

 If it’s an email or a text, ask yourself if you were expecting an email or a text from that company. If you get a Fedex text update that you didn’t sign up for, it might be a phishing scam. If you got a notification from Walgreens that your photos have finished printing, and you didn’t print any photos, it might be a phishing scam. They want you to click or tap the links they include to see what’s going on. Spelling errors are also a common tell – it’s not impossible for a company to make spelling errors in their communications with you, but they won’t be littering the page with them! Phishing scams do that to weed out people who know better so they won’t waste time on targets that won’t crack. Note that not every phishing scam comes with typos, even though they are common.

You should also check the sender of the email! Spoofing is a technique that attaches a real name that you might know to an email address or phone number that definitely doesn’t belong to them. Anyone can set their name to George Smith or Big Company Customer Service in Gmail, but they can’t change the email address they’re sending from. If it’s [email protected] and not [email protected], for example, it’s probably a phishing scam.

The same goes for caller ID, although it’s getting harder and harder to tell real calls from fake ones – scammers can set their name to something like “Hospital” or “School” to make it more likely you’ll pick up. Some more sophisticated operations can even make it look like they’re calling from a different number altogether, using VOIP technology to match the area code of the caller to the person being called. Just like in the urgency tip, you should be able to call a legitimate company or organization like a school back from the number they have on their website, or the number you know to reach them at. If they’re really resistant to you hanging up and calling back for reasons that don’t make sense, it might be phishing. Unfortunately, some scam calls are really tough to pick up on, and the FCC can’t do much to stop them if they’re not in the US. Many people today don’t answer their phone unless they were explicitly expecting a call as a result, and phone companies themselves sometimes offer up call and text screening.

How to Better Protect Your Accounts

Luckily, there are a few tips that can make your information safer in the face of trickier scams! Firstly, don’t re-use passwords. If a password you were using for multiple accounts gets stolen, then multiple accounts are at risk, not just one. We recommend a password manager like BitWarden – it makes it much easier to store and create unique, strong passwords for every site!

Secondly, you’ll be better protected if you use two-factor authentication on every website that has the option to. If you do fall for a phishing scam, the scammer won’t have the code necessary to get in! Of course, some scams are sophisticated enough to think of that beforehand: Craigslist, for example, had a bad rash of scammers a while back who would “text a code” to a seller “to make sure they were a real person”. The seller then gives them the code, and the scammer now has a Google Voice number with the seller’s phone number as the verified number behind it! They just social-engineered their way into bypassing 2FA. This is why you should never give out verification codes – especially if you didn’t request them. Instead, it might be time to reset the password of the account that verification email came from. Just don’t click any links in those verification emails, either: go straight to the home page of the site instead to log in. The verification email might be a phishing attempt all by itself, hoping you’ll click a fake link to the website!

Using Biometrics: Is It Really Better?

Elizabeth Technology November 9, 2023

Some phones allow users to use their biometric data as 2FA, or as a password by itself – how does it measure up to PINs?


1) Your Face Looks Like Your Family’s

Every single service using face unlock handles this a different way – they all use different programs, and those different programs handle similarities differently. Apple, which uses state-of-the-art hardware and code to see faces, still sometimes mixes it up. For Apple, the program that reads your features and unscrambles this information is constantly updating itself and adding to its library of what you look like. If it didn’t, a sunburn or a new eyeliner shape would trip it up and lock you out for looking different.

The problem is that it’s allegedly doing that by looking at the person holding the device when it’s unlocked (using a passcode or otherwise), which is usually you but sometimes isn’t. People who look similar enough and who may be holding your phone enough (like family) can sometimes trick FaceID into opening for them by accident. While this is getting better, there’s no way to rule out a twin unlocking your phone without also sometimes locking you out too.

2) Law Enforcement

Most police forces have the right to collect some of your biometric data if you are ever arrested – your face and fingerprints go into their records. The legality of using that to unlock your mobile device pre-subpoena varies from state to state; some states will allow you total freedom to decline an un-subpoena’d unlock request no matter how your device is secured, while others won’t let you decline at all, but some states depend on the type of lock. Certain biometric data is not legally protected in the same way passcodes or PINs are. Look it up for your state!

3) Nefarious Children

A much more common unwanted-unlock scenario is a child getting hold of your phone during a nap and holding it up to your face to buy Robux. While face-unlock adapted, and many smartphones don’t let you attempt an unlock with closed eyes anymore, fingerprints stay the same even if you’re asleep. Still pictures of the target tend to trick older Face ID as well, although that is improving with each new generation of phones.


1) When Done Right, It’s Really Tough to Beat

Barring the similarity issues above, when biometric data is used correctly, it’s pretty darn good at keeping unwanted people out. Collecting fingerprints to unlock a device or account is often more difficult than it’s worth, and deters bad actors from trying. Strangers will generally not have photos of the phone’s owner good enough to unlock it on-hand – more recent phones use infrared too, so pictures don’t even work on new phones anymore. Cracking biometric locks takes a lot of coincidences or a lot of effort, not just a computer stuffing passwords.  

You also can’t write down your face and lose it somewhere like you might for a password, and (at least for phones) you can’t have it breached in the same way as a written password.

2) When Done Right, It’s Faster

You’d need to wait for a sent 2FA code, but you don’t need to wait for a fingerprint or a face unlock.

3) As Long As Policies Stay the Same, The Data Doesn’t Leave The Phone

As of the writing of this article, Pixel and Apple devices state that the mathematical representation of your face which the phone uses to unlock will not leave the device it’s being used on. Apple even goes a step further and separates the computer that handles facial recognition from the computer that does everything else inside the phone!

The caveat of course is if those policies stay the same – companies make promises and then go back on them all the time. American privacy laws are fairly lax compared to other countries, so any privacy policy not written into law needs an eye kept on it for changes.

What is a Browser Cookie?

Elizabeth Technology October 31, 2023

A browser cookie is a little snippet of data that the browser stores while the user is browsing. Websites use cookies for their ‘remember me’ functions, for example – if you tick the box under your log in and ask the website to remember you, it will, using a cookie.

The same goes for online shopping – when you’re logged in, the website remembers what you have in your cart by saving that information elsewhere. However, even when you’re not logged in, the page remembers what you’ve added to the cart, sometimes (depending on your browser and the website’s settings) even after you’ve left the page, closed the browser, and shut down the computer. Coming back a day later, the website will still have those items in your cart even though you’re still not logged in. That’s the convenience of a cookie!

It may not be immediately apparent, but this actually has quite a few security implications.

The Good

Websites use cookies to figure out if they should show you certain pages. If you’ve logged out in one tab, switch to another, and keep trying to shop, the website will put a hold on things before checkout (as long as checkout’s a separate page. It is on most websites).

The Bad

The downside to having cookies that keep you logged in is that if someone else gets their hands on your device, they can access everything that the browser has stored password cookies for. Example: You don’t log out of Facebook, but you close the browser. You let a friend use your computer to look something up real quick, but they notice Facebook pops up in the web bar. Suddenly they have access to your Facebook.

Or, logging in to Amazon on a friend’s device to order something, and then leaving without logging out, makes it possible for that friend to buy something on your account completely accidentally!!

Additionally, cookies can be ‘read’ by hackers and public WiFi providers like Starbucks or McDonald’s, but that security issue isn’t exclusive to cookies.  Tracking cookies and other such shenanigans are usually used for advertising purposes, but that can be a security concern too, if privacy is a part of your security considerations.

These aren’t all the security risks of cookies, but they’re the most obvious, and the most likely to trip up a user.

Mixed Considerations

Cookies have more functions than simply recording logins. Some can take your device’s diagnostic data, some can recall settings you set the last time you visited a webpage, and some can track you. Tracking cookies are exactly what they sound like: cookies that track you as you travel along the web. These cookies can be used to form a long-term record of a user’s browsing history, which is obviously a concern – most people would be creeped out by someone following them through the mall, watching what stores they go into and what items they come out with. The same goes for cookies. Why does want to see what I’m buying for my tropical fish?

Any website that has something to gain from knowing what websites you visit, your potential interests, what kind of recipes you save, what kind of sports you watch or political sites you follow – they can use that to sell you something, and that something can be ideas.

Blocking Them

Cookies aren’t an enemy, and many just set out to make your life easier.

However, if you’re interested in keeping cookies from following you, for good or for bad, there are many options on the market. Some browser extensions like adblockers will also block cookies, and there are many third-party extensions built exclusively to keep websites from tracking the end user (you should always research the company you’re downloading from beforehand). Simply browsing in incognito mode or regularly erasing cookies along with your browsing history don’t require you to touch anything third-party if you don’t want to, as well!

How Does A Hacker Use Public WiFi?

Elizabeth Technology October 26, 2023

Ads for VPNs give their two biggest benefits as often as they can: that you can watch shows blocked in your home country using one, and that hackers using the same public WiFi network can’t steal your data as long as you’re encrypting it with a VPN.

The first one is relatively easy to understand, but how does the second trick work? 

1) Simply Saying They Are Something Else

One of the easier methods of tricking a connection is to simply create a hotspot near a public wifi source, and name it the same thing as the legitimate source. If there are two ‘Starbucks Café 9812’ Wifi channels available, the duplicate may catch out users. After that, the hotspot’s creator can intercept any data sent over the connection.

2) Using Specialty Tools

Unsecured Wifi is dangerous in multiple ways – loose, unencrypted packets of data travelling over the Wifi connection can be caught by a hacker and decoded into readable information using something called a WiFi sniffer. Information that your computer will not pick up by default can be found this way, and with it, data sent over that unsecured connection.

Using a WiFi channel with a password is generally good enough to prevent that from happening, however.

3) Hoping For Poor Security Practices

If a public spot’s router is not set up correctly, it might be possible for a bad actor to get into it as an administrator, with all of the permissions that entails. If the router is still using a default dictionary password, a dictionary attack might crack it, and give the bad actor those admin privileges that way. And, if a bad actor got onto the network legitimately, they may be able to execute a man-in-the-middle attack where they trick the target computer and the router into sending potentially sensitive data through them first.


VPNs, or Virtual Private Networks, add an extra layer of security via encryption to information as it passes from the user’s computer, to the router, to the VPN’s server where it is unencrypted, to the website where the request was directed, back to the VPN’s server so it can be re-encrypted, and then back to the router and ultimately the device, where the information is unencrypted.

That’s good for protecting the user from many of the security issues associated with Public Wifi, but it’s not the be-all end-all of security – you must pick a VPN carefully if you intend to use one, because using a VPN means putting all of that data in their hands instead.

Smishing (SMS Phishing)

Elizabeth Technology September 26, 2023

Do you get strange solicitations for all sorts of things in your messages? Are you getting texts from email accounts, or massive group-texts to you and everyone within a couple of digits of your number?

That’s Smishing.


Phishing is the process of sending emails with dangerous, annoying links in them hoping that someone on the other end will click them. These emails can be broadly targeted or narrow, well written or not – it all depends on the person on the other end of the line. Broadly targeted emails with many people on the receiving end tend to be poorly written to weed out people who would flake out halfway through. Narrowly targeted emails aimed at individuals or specific companies tend to be much better, because they’re willing to invest the time needed to get them.

Phishing happens via email, but it comes in a variety of flavors, and setting rules such as ‘don’t click links’ and ‘don’t look at ads for services you didn’t sign up for’ can wipe a lot of the problems out. Phishing is still incredibly common, and many people (including the elderly, people who are reading in a different language than their native tongue, younger kids with email addresses, etc.) still fall for them… but where tech innovation goes, scams soon follow!

Improvement to the Tech 

There was a time when sending mass texts in hopes of securing some personal data was time consuming and expensive. There was a time when you couldn’t just send emails to a phone number or vice versa. Nowadays, all of these things have become possible. Everyone worth scamming has a smartphone. Very few plans ask users to pay per text, instead of per gig (or meg).

VOIP and assorted messaging apps all blur the lines between email, phone calls, text messages, app-based messaging services, and more. Of course, the market has encouraged this. If users have to trade apps to stay in touch with friends on a different app, they’ll generally do so. It’s in every app’s best interest to work with eachother, and most will enable users to send and receive messages with minimal issues. There aren’t a ton, but the handful in existence is plenty. Plus, Google and Outlook will allow you to direct-message phone numbers now, as long as you have the full ten digits.


Smishing, just like phishing, involves sending messages trying to get people to click sketchy links inside or engage further with the scammers. Sometimes it happens with one number sending directly to one number, or one number to many, and sometimes an email address is able to send you messages directly.

Shot-gun blast smishing, just like regular phishing, is targeting people who don’t know better than to click on strange links or respond to “adult links” texts with incoherent rage. Now that many delivery services use text messages, unsolicited texts about a meal or package delivered to the target’s house may cause them to click the link in the message without pausing for a second to think about all of the other messages they should have received beforehand. The phone is new territory, and they hope you’ll fall for it because it’s new and blends in a little better.  

There is a more dangerous version of smishing – if they know who they’re texting, and they can text coherently, getting info or clicks out of the target becomes much easier because they can custom-fit those texts to said target. If someone uses your name, you’ll assume you know them from somewhere – and a text is already so personal, it’s hard to blame people who fall for it. Shotgun blast smishing only gets the folks who were vulnerable, but a good, targeted attack could fool many more. This obviously also applies to regular phishing, but because phone numbers all look the same, and phones can be misplaced while desktops can’t really be, bluffing your way into getting ‘emergency information’ from someone is just a smidge less difficult.

Viruses are still a potential problem for phones. The only issue is that they have to be custom-made for the phone type the end user has, or else they won’t be able to successfully infect that device. While many people use their phones for their internet browsing, a great many more use their desktop for everything, and so the scammers of the past would just use the desktop virus and hope they caught something.

Smishing introduces a new angle – phone numbers will generally lead to phones, meaning that they can use that custom-made phone virus and almost guarantee themselves a win as long as the target actually clicks the link.


Unfortunately, unlike phishing calls or emails, smishing is easier to spam with and doesn’t usually require a list of preexisting emails. Think about it: a phone number has a set number of digits with ten possible placements, 0-9. An email not only has the entire alphabet on top of all of the numbers, the length varies from the shortest possible username to the longest one. You can’t simply BS your way into a working email the way you can with a phone number, you’d have to buy a list and plug it into the spam machine to send messages.

Enforcement, too, is easier to evade. If a smisher’s email gets banned, they can simply make another one by the same mechanism that makes spamming emails without a list difficult, and continue to spam phone numbers. As emails and phone numbers get blocked out, online services allows them to continue messaging. If those services get complaints about the spam? Simply make a new account there, too. Easy, fast communication is vital to many people, businesses, and services today, so all of this is easy and accessible by design.


What Does Incognito Mode Actually Do?

Elizabeth Technology September 21, 2023

You might have heard it in advice: “You should always look at airline tickets in Private Mode, or the price will go up”, or “I look at eBay in Incognito Mode when I’m on the family computer, so my mom doesn’t know what her Christmas present will be”. Every browser is equipped with it! So what does Incognito Mode actually do?

No History

You probably already know this, but Incognito Mode (or Private Browsing, or Private Mode, or…) doesn’t store history for your browsing session. Great! The downside: If you find something really interesting while Incognito, and don’t bookmark it, it’s not in your history. The upside: if you were shopping on eBay but don’t want the person leaning over your shoulder to know, as long as you only ever visited in Incognito Mode, it won’t auto-fill in the search bar when you type the letter ‘E’.

No Cookies

This is a little bit bigger than it seems.

A cookie is essentially a way for a website to see what you’re interested in (see our article on Cookies for more info). It does other things too, but for most websites, interest is enough. It improves ad revenue, and it does usually make the user’s experience a little better. For example, if I search for dog treats, and I’m not logged into my Amazon account, Amazon may still show me listings for dog treats, even though it shouldn’t technically know it’s me without my login.

This is tracking, even if it’s non-malicious and just to maybe show you something you might buy. That makes a lot of people uncomfortable! Not only that, but if you’re searching for a gift that you yourself would never use – say, Carrot Flavored dog treats – the website has no way to know that the Carol’s Carrot Treats are not for you. So you get recommendations for it. Forever. Unless you’re in Incognito Mode!

Cookies can range from harmless to annoyingly persistent, but they don’t seem to be going anywhere fast. If you’re looking for a gift, and don’t want to be recommended purses for the rest of your life – use Incognito Mode.

Yes, Downloads Are Still There

The browser probably warned you on the default ‘New Tab’ window for Incognito Mode, but anything you download is downloaded to your computer. Downloading things to your browser is actually downloading them to your computer through the browser. If you’re pirating music (don’t do that) and hoping that Incognito Mode will help you avoid malicious downloads, it won’t. Don’t download anything you wouldn’t download in your non-incognito browser.

This applies to bookmarks too: things you bookmark in Incognito Mode are still visible in the regular browser’s bookmark bar.

No Browser-Saved Logins

You know how some websites ask if you’d like them to ‘Remember Me!’ with a little check box the first time you visit a site, and then it autofills the next time you log in, and then it keeps doing that for so long that you forget your password? And then you try to log in so you can get your sister that tchotchke she had her eye on for her birthday? Yep, ‘Forgot Password’ link time. Yaaaay. Passwords saved by your browser might still be there in Incognito Mode, but passwords saved by the website are stored with cookies. As seen above, Incognito Mode does not save cookies.

This will also annoy you next time you log in, because clicking ‘Remember Me!’ for the new password you made just now (in Incognito Mode) won’t actually save it. The website’s cookie only remembers the last password you used in regular browsing mode. The cookie responsible for remembering you is disabled in Incognito Mode.

Yes, Your Internet Provider Can Still See Your History

Don’t do illegal things online. They’re illegal. And also usually visible to the internet provider. Your internet provider can still see the websites you’re visiting in Incognito Mode, because that information passes through them first. However, if you don’t want the ISP to know that you’re ordering oil paintings of dogs through Etsy (LEGALLY!), your best bet is a VPN (Virtual Private Network). A VPN adds a layer of encryption to your data, making it difficult for the Internet Provider to see what sites you’ve visited. This isn’t foolproof, because the VPN is the one seeing your data instead of the ISP – but it is another layer between you and other people discovering you bought that oil painting.

Please, Don’t Just Scan That QR Code

Elizabeth Technology April 27, 2023

The Past and Present of Random Links

Before the age of built in antivirus and user-friendly web design, it was entirely possible to wander onto a webpage that would just start downloading something malicious out of nowhere. Popups that did this were a serious problem, and many browsers responded by working in a sort of zero-trust philosophy. Firefox, for example, will tell you when a site has tried to open a pop-up, and asks you if you still want to open it. This does occasionally catch honest secondary windows (like payment portals and the like) but the great thing about that is that because it asked, you can say ‘yes, I wanted that to open’ and you’re not stuck with some horrid flashing popup dominating your screen every other time.

Aside from popups, some websites were able to either trick users into downloading things by mimicking a real website, or simply start downloading things themselves as soon as they were clicked. Separate antivirus programs were needed to combat phishing downloads alongside other website trash, as browsers can’t always differentiate between intentional and unintentional downloads. In this era of the internet, misclicking or accidentally misspelling a website URL could be catastrophic for the computer. Big hosting companies protect their hosted websites now by preventing others from registering domains that are almost the target URL, but not quite (a form of domain squatting) but this wasn’t always the case.

Furthermore, hyperlinks can be used to trick people into clicking things they’d otherwise have avoided. Remember Rick Rolling? Every trick that anyone has ever used to Rick Roll you can also be used to get you to click on, and download, something you don’t want on your computer. Disguised hyperlinks. Obfuscated URLs that re-route a couple of times to get you to lower your guard. Clickable buttons, in place of links. Social engineering. The list goes on!

The False Sense of Security

The modern web as most people browse it is a safer place than it used to be. Google’s SEO is partly to blame – users who report unpleasant website experiences or demonstrate that the website isn’t good by leaving within so many seconds of it loading will lead to that website appearing lower in the search results, until eventually Google stops letting it pop up near the top at all. Hosting services are also partly to blame – they have a monetary interest in keeping their websites whitelisted, and malicious websites screw that up for them. Plus, it’s sort of scummy. Would you want to do business with a company that passively allowed one of its clients to wreck another potential client’s car? Probably not!

Antivirus and default browser settings take care of much of the rest. But these things don’t mean the nastier parts of the web have stopped existing, they just mean it’s harder to get there without doing so intentionally. Users don’t fear clicking on links that lead to sources or Ko.Fi services because it’s been so long since that was a problem. Forum users click through links with no fear. While not a perfect breeding ground for scam links to come back (most people still know and remember the warning signs) it is a perfect breeding ground for something new built on old foundations – QR code scams.

QR Codes

A QR code is a sort of bar code that’s recorded in two dimensions (vertical and horizontal) instead of one. Almost every modern phone (and many of the outdated ones) come with a QR-reading feature built in. QR codes and code readers have a high tolerance for missing or damaged information, making it a fantastic resource for quick and easy link-loading – where a barcode is unreadable if a bar is missing, a QR code can often still be read if squares are missing or obscured. Advertisements, verification texts, digital menus, libraries, virtual queues, etc. all benefit from how simple it is to whip out a phone and point the camera at a black and white square for a few seconds. It’s even easier than typing in a link, and you can direct users to specific pages with gangly URLs without worrying how that URL is going to look on printed material – the user isn’t going to see the URL anymore, they’re going to see the QR code!

This lead to things like QR code stickers that would lead to individual GIFs or art project websites out in public, a form of easy-to-remove graffiti that still showed off some art in today’s hyper-online world. QR codes gave restaurants and their diners an easy way to see a digital menu without having to type in a URL. It also made Rick Rolling easy again.

You’re probably already seeing the issue here: when users can’t see the URL, they have no way of knowing where they’re going to end up when they scan it. A hyperlink’s true destination is visible to a user when they press and hold on mobile, or hover their mouse pointer over it on desktop – the same is not universally true for QR codes (some phones and programs show the link before asking you to continue, but many do not). The scam potential for these codes is off the charts because many do not understand them as ‘links’ but as ‘scannable objects’.

Discord Scam

For example, the recent slew of Discord scams! Essentially, what happens is a scammer compromises an account, either by password brute-forcing or by social engineering, and sends messages to everyone on that person’s friend list saying things like “ummm idk if this is really you or not but it was your name and it says you sent a girl gross stuff like wtf? Check the #shame tag and you’ll see it. I’m blocking you just in case, I can’t be friends with a predator”. They then send a link inviting you to join the Discord server mentioned in the message, and block you so you can’t continue to chat with them. As this is a compromised account and may be pretending to be someone you actually speak to on the regular, this can be very alarming. The first instinct is to join the server so you can defend yourself against whatever allegations have allegedly been made in that server! It presents you with a QR code to join the server that this compromised account has sent to you so you can clear your name and get your friend to unblock you, but when you scan it, it tricks your phone into giving over the login credentials for your Discord, compromising your account and continuing the scam.

This is the sort of scam that happened all the time before people grew wary of random DM’ed links! Here we are again, re-learning not to trust people that talk like bots and the things those bot-people/compromised accounts send us.

Consider a Password Manager

Elizabeth Technology April 13, 2023

Alongside 2FA, making a difficult-to-guess password can stop a staggering number of cyberattacks, both brute-force and engineered.  But how exactly do you do that? The latest recommendation for a password has jumped from 8 characters to 10, 12 if you really want to play it safe, and a scrambled set of characters that meets all of a decent administrator’s password requirements is going to be difficult to remember almost no matter what! If you do make a good, memorable one, you shouldn’t be using it anywhere else. It’s also unfeasible to just reset your password every time you need access to a site. What can you do?

Get a Password Manager

Password managers bridge the gap between the passwords you want to make, the ones you can remember, and the password that meets all of the site’s requirements. This is such a common problem that it’s even built into some browsers! Firefox will save your passwords securely for you, although you can always download the third-party extensions of your choice in the Mozilla add-ons page ( While Chrome also has a built-in password manager, if your Google account gets hacked, all of your passwords just went with it, so in their case it’s better to go third-party.

You can download reputable password managers such as LastPass or 1Password just as easily and perhaps more securely – in all of LastPass’s existence, it’s never had its password database breached (although their dev environment had a security incident a little while ago).

DO NOT “Just Write It Down”

If you think just writing the password down on a Post-It is good enough, don’t be so sure! Social engineering is probably the easiest way to get into someone’s computer. If someone wanders into your office when you’re not there, and they spy your password written on a Post-It stuck to your desk, then boom – they’re in.

Similarly, this actually isn’t a great way to keep track of your passwords even if nobody else has access to it. For example – if you keep a Word Doc with a bunch of passwords in it, assuming nobody is going to be able to

A) find it or

B) identify which passwords you used where (assuming you didn’t write down your username with them) you can also assume you’re not going to remember them either!

If you don’t use them frequently, you’re far more likely to forget what goes where. Oh, good, a random bunch of numbers and letters just titled ‘game account’ on the front of a post-it that’s lost all it’s sticky powers. Where does it go? What is the username? Does it need a username, or just your email? Good luck figuring that out!

But the Manager is Always On!

Yes, these password managers are always prepared to fill in a blank on a webform. If you leave your office without putting your computer to sleep, then hypothetically someone could access an account of yours using one. However, this is easy to fix. If you’re not putting your computer to sleep or locking the screen when you leave for extended periods of time, you should! If you’re not doing that because your password is too long to type in every time you get up, consider setting up a login PIN instead to remove that barrier – a regular person isn’t going to be able to guess every permutation of four-to-six numbers (and sometimes letters depending on your admin’s settings!) in a reasonable amount of time. By locking the desktop, the manager’s convenience can’t be used against you. It’s more secure, anyhow. It’s actually a requirement for companies that follow HIPAA standards!

What is a DOS Attack, Really?

Elizabeth Technology January 26, 2023

DoS stands for ‘Denial of Service’. What this means is that someone plans to deny service to and from a website by crashing it, or making it run so poorly that it may as well be offline. As for ‘why’, there are many reasons – someone could be ‘disagreeing’ with the content of the website or it’s discussions, they may be attempting to drive viewers elsewhere, it may be political, it may be simple trolling, the list goes on.

So, how is it done?

The How

Denial of Service is just that: a denial of service. Any means may be used to get to that point. If it’s a poorly secured website, getting in via hacking or password stuffing and changing the contents on-site could be a DoS. If it’s a poorly balanced website, and if it’s one that allows for posting of pictures and memes, sending an image that’s too large for the website to handle could do it. Similarly, sending too much text, animate gifs, or other content that the website wasn’t prepared for could shut it down. Requesting too much data and opening several tabs at once of a big image that did load could simulate an http attack, although that may be equally hard on the computer that’s doing the requesting. It’s possible to DOS a site accidentally!

Inputting code into poorly made text entry spots can also crash the website, if the owner didn’t know how to prevent SQL injections. Dinging the website too many times in one go can crash some websites, although that usually requires things like bot nets, which turns it from a DoS to a DDoS.

In that same family, SYN flood attacks can also deny service by requesting information over and over until the website is so overloaded that it can’t respond. In a SYN flood, the computer sends requests to connect to the server repeatedly, but never actually completes them. If it’s done right, the server runs out of ports to take the requests, and legitimate requests mixed in with the faulty ones now have to wait much longer.

Preventing it

Many of these are simple issues of preventing out-of-format content and slowing down users requesting to visit. If a posting box has a hard limit of 10,000 characters, the DoSer could whip up a bot to post over and over, but the website owner would be able to tell that something was going on before it crashes the website. Many picture-printing places won’t allow photos over a certain size or resolution to be sent over the web, because it can clog the intake – especially places like drugstores that aren’t set up for large high-quality images. If the network isn’t prepared, it’s entirely possible for photographers to DoS them (at least in the photo station) by accident! Instead, it’s much easier to keep these incidents out at the gate: configuring comment sections and image requirements for size is a bare minimum.

As far as SQL injections go, we have a whole article on sanitizing inputs (here) – the essence of prevention is keeping data inputs and the command to get it to the database separate from each other. This prevents a number of issues by itself, but is good advice to avoid DoSing via SQL as well.

For SYN floods and other brute-force attacks, configuring the firewall and installing an IPS (Intrusion Prevention Software) are what security vendor PurpleSec recommends. In the olden days, attacks like these may not have crashed the site, but they could still drive the hosting costs through the roof – the owner is then incentivized to pull the plug themselves so they don’t drown in fees from their server company.

To prevent breaches, use two-factor authentication when building your site. Please. Microsoft reports that it stops 99.9% of fraudulent login attempts. It is one of the easiest ways to improve your security.

How is it different from DDoSing?

DDoSing relies on multiple computers to get the desired effect; DoSing takes much fewer. This has many benefits for the person trying to wreck a website. Firstly, DoSing doesn’t involve gathering other computers to attack with – you already have all your resources at your fingertips! However, that’s a double-edged sword, as you can’t attack with more than you have.

DoSing is also easier to coordinate as other people are (usually) only minimally involved. Getting other people to DDoS a site organically is difficult because it requires organizing strangers, and doing it with a botnet requires buying a virus or making one yourself and then distributing it. DoSing with a SYN flood or with SQL injections is hard – but it might be easier than trying to get ever-more-wary strangers to click a suspicious link. Outsourcing to a hacker group, of course, is easier than both unless the malicious party lacks the funds to do so.

On the other hand, hacking into a website that’s only password-protected with a password stuffer (or doing it semi-manually by guessing passwords yourself) is probably easier than any other method. While this carries some risk (if they can tell where the login came from, they may be able to find the attacker), it also has a lot of potential for damage if the website owner hasn’t backed up the website. The problem with this method is that the website has to be poorly secured for it to work – 2FA stops the vast majority of these attacks, and being smart with who gets admin permissions can limit the effectiveness of the attack.