In the The Wizard of Oz (1939) Dorothy had the wisdom to see danger on the road ahead:
Dorothy: Do you suppose we’ll meet any wild animals?
Tin Woodsman: Mm, we might.
Scarecrow: Animals that eat… s-traw?
Tin Woodsman: Some, but mostly lions, and tigers, and bears.
Scarecrow: And tigers?
Tin Woodsman: And bears.
Dorothy: Lions, and tigers, and bears! Oh, my!
Just like Dorothy was concerned about what she might meet on the yellow brick road, we should be concerned enough to understand what might bite us on the information superhighway. Unfortunately a lot of people I meet traveling this virtual road either have misguided beliefs or are very ignorant of the pitfalls that await them as they use information technology everyday. Overly fearful or blissfully ignorant behavior to information technology can limit its benefits or endanger you and those you know.
Yes, there are real viruses, Trojans, worms and many other forms of malicious software (malware) “out there” ready to attack you at any moment. (If you have no clue what I am talking about. I’ll explain them and many more in later posts.) But I don’t want you to be afraid. You can easily do many things to help protect not only your computer and mobile devices but yourself in general from being prey to these evils. I pray this blog will benefit many with simple to understand information to reasonably protect you and your loved ones from the pitfalls of using information technology (IT).
What is Personal Information Technology Security?
Everyone I know uses some form of IT. We commonly think of computers and the Internet. We include smartphones with web access. But we must include any technical device that is capable of sharing information. Often this is through a network like the Internet. But this can include such simple devices as a plain old telephone service. Just like our homes, we can not make the information technology we use 100% secure. However there are reasonable steps we can take to drastically reduce the likelihood of a malicious attack (like locking our doors).
I don’t intend this blog to help with corporate or enterprise levels of IT. They have whole departments with very intelligent and dedicated staff to take care of their IT devices. Also their environment is different in a lot of ways from what you use personally. Since you don’t have a team of hired professionals watching out for your security, I’m here to help.
What I describe in this blog comes from my own experience of over 25 years in using and supporting IT devices for corporations, small businesses, individuals and myself. I want to educate you from that experience so you can apply it as best you see fit in your circumstances.
Most of the experiences I will share here will be related to protecting your home and small business computer(s) with some form of a connection to the Internet. I will also share some advice on securing your mobile devices like cell phones and personal digital assistants (PDAs). Occasionally, I help with other forms of attack that are sometimes purely social and don’t involve anything more complicated on your end than just answering your home phone.
I’ll do my best to keep the blog posts general enough so they can be applied in a variety of situations. For those wanting the more technical details related to particular incidents, I will link to a variety of news and technical sources as reference.
First Pitfall to Avoid — Social Engineered Attacks
I chose this pitfall to describe first because it can be applied across the most forms of interaction; even beyond IT. Also I was able to leap over this pitfall just this past Tuesday (June, 22nd) when I was personally attacked.
My personal attack involved a well known scam using collect calls from prison. Social engineering is all about using you to open the door. This could be the physical door to your home, a method to gain access to your computer or in this case, long distant calls made on your phone.
Social engineering comes in a wide variety of forms. They all contain two elements: gaining your trust in order for you to share information. In my case they wanted to tug at my heart strings to make me believe I had a friend in prison and needed my help. Other forms use information they obtained elsewhere to make you believe they have the right to additional information.
One very popular form of social engineer is phishing (yes, with “ph” and not “f”). It is like fishing as the phisher sends out a lot of bait and hopefully will get a few bites. If you have ever received an email asking to verify information from a trusted source, such as a bank or other online service, then you were being phished. I HOPE YOU DIDN’T CLICK THE LINK IN THE EMAIL!!! If you did, contact me right away and I’ll help you straighten out the potential mess.
So how do you avoid social engineered attacks. First, develop a radar for these things. Study examples of many of these attacks (I’ve only given you a couple examples from the hundreds that are out there). Then trust your instincts. Most often these attacks come unsolicited. If you receive a phone call, an email or knock at the door that you were not expecting, be extra cautious. Sometimes even trusted friends are unaware they are used as part of the attack. I will give more details on this when I discuss how social engineering is combined with malware to infect your computer through instant messages and emails.
Please be aware that malicious attacks are occurring everyday to gain information about you for someone else’s benefit. Be cautious, but don’t run and hide. I little awareness goes a long way to protecting yourself.
Please post a comment below and let me know what you think of this blog. Much of the content will be driven by your comments as I want this to be a help to you. Let me know what you liked and, just as important, what you didn’t like.
Until next time, keep looking out for those PITS!