I’ve been hacked! I’ve been scammed! What do I do?

Sometimes, we all have one of those “how did this happen?!?” moments, as we watch our mouse go shooting across the screen, deleting all of your files. You panic, and call your local computer technician, to ask what to do about it. A Trojan, worm, or human (a taller version of a worm) has taken over your computer. You’ve been hacked. You shut it off, and wait for your technician to show up. While you wait, here’s a list of the things of what they should have already told you on what to do if your computer has been compromised, and what you’ll probably be paying for.

From a technology perspective:

Turn off your device immediately

Have you been hacked or lost control of your computer? Simply turn it off. An off computer cannot be controlled, as there is nothing to control at that point. This is the fastest way to stop an ongoing attack and avoid a follow-up attack. In the event that you were compromised by a Trojan or worm, this will prevent it from causing any more damage than it already has. Once you have made sure that the device is off, contact a computer technician immediately to inspect and cleanup your computer. If you don’t have it sanitized before you start using it again, there is a very good chance that a Trojan or worm that has been installed on it will just turn on again, and continue wreaking havoc. They also tend to open up a bunch of holes in your computer, which makes it easier for hackers to gain access to your computer again.

Using another device, change your passwords

Since the device that was compromised is turned off, you will want to use another computer or device to get online and start changing your passwords. Not just the important ones, ALL of them. If you do any online banking, make sure to change your password for your bank’s website first to avoid anyone getting access to your accounts. Next, take care of your email account(s). Your email account is the gateway to almost all of your online accounts, so anyone with access to that could simply use the Forgot Password buttons on other websites to reset your passwords. Honestly, it wouldn’t hurt to handle your email accounts first, since they could still be used to change the password on your bank accounts. Next, make sure to log in to all of your social media accounts and do the same. Keep working through your list of online accounts until you have changed the passwords for everything.

When changing your passwords, make sure you follow these rules. They are common rules for all passwords, so they apply any time you ever create or change a password. These are just a few of hundreds of password tips. For more thoughts on password security, try Googling “password rules”.

  1. Use a strong password. “password” is NOT strong. Most websites these days make you use a secure password. You want it to be an absolute minimum of 8 characters in length (10 is better, the more the merrier), and use a combination of uppercase and lowercase letters, numbers, and symbols.
  2. Don’t use a modified version of the password you are changing. If you only change one or two characters in your old password, you are not really helping yourself out. While this will trick most automated hacking tools for a while, a true hacker will be able to figure out what you changed pretty quickly. If you make it easy for yourself, you’re making it easy for them too.
  3. Names, birthdays, anniversaries, and “password” all make horrible passwords, don’t use them. IF you are going to break this rule, use a combination of them.
  4. Don’t ever use the same password twice. If the password for your email account is the same as your bank account and Facebook page, you are going to be in a lot of trouble if someone finds out your password. Use a program like KeePass (http://keepass.info/) to keep track of your passwords for you. It is completely free, and can help you safely keep track of what passwords go where.

Tell your friends!

Nobody likes to admit that they were duped, but it is important that you let people know what has happened. If your friends and family (online and offline) are aware that you were hacked, they will be able to help keep an eye out for suspicious activity for you. It only takes one caring friend online to agree to wire “you” money because your social account is under the control of another person. Knowledge is power. Empower yourself and your friends.

From an identity/financial perspective:

Call the police (non-emergency line, NOT 911), get a police report

It doesn’t really seem like something you would have to do if your computer was hacked, but if you believe that someone has stolen any of your personal data, you need to contact your local law enforcement and file a police report. Digital theft is still theft, and theft is against the law. Additionally, your bank, credit card companies, and other businesses may require you to have a police report when filing claims with them. It may end up being a very simple police report, but so long as they can file that “my files were stolen on this date at this time”, you’ll have something to work with.

Call your bank and credit card companies

If you think that your bank or credit card account information may have been compromised, you will want to contact your banking institution and credit card companies as soon as possible to let them know that you may have lost your data. At bare minimum, you will want to tell them what happened, and to be on alert for any suspicious activity. Your banking representative will help you decide what to do next. In some cases, this may simply be to monitor your account for suspicious activity. In more extreme cases, they will help you freeze your accounts. If you have already had fraudulent purchases made in your name, they can help you get your money back.

File a fraud alert with the credit bureaus

Anytime you have to have to contact your bank, you will also want to call the big three credit bureaus (Experian, TransUnion, and Equifax) to file a fraud alert. In case you don’t already know, these agencies are responsible for tracking all of your financial accounts to determine how good of a credit user you are compared to other people (they do this using credit scores). Since your credit score is based on your credit, they will need to know if your bank accounts or credit cards have been compromised, so they can keep a lookout for any suspicious activity as well. While your bank is your first line of defense at stopping any fraudulent expenses, the credit bureaus are the second. As long as they know what is going on, they will be happy to work with you to make sure that any fraud does not negatively affect you.

If you follow the advice I have laid out for you in this article, there is a pretty good chance that any damages caused to you and your computer by a hacker (human or otherwise) will be minimal. For more tips on how to avoid these scenarios to begin with, check out this article on 5 Tips to Staying Safe Online (https://www.booksnbytes.net/5-tips-for-staying-safe-online/).

The Internet of Things Needs Security!

It has been over a year since I wrote an article about the Internet of Things, and the technology around it has evolved considerably since then. In the year since my last writing on the subject, extensive trial and error testing on my part has revealed a few pitfalls with utilizing the Constrained Application Protocol (CoAP) with a Datagram Transport Layer Security (DTLS) connection:

  • DTLS and CoAP were designed to operate at Layers 2 and 3, respectively, but very few considerations were made for them to inter-operate without marshaling data between the two layers.
  • DTLS is a connection-less protocol, CoAP is connection/session-oriented, forcing the developer to either sustain DTLS connections (insecure), or use CoAP without sessions (bandwidth-intensive).
  • Because the use of two distinct protocols is required, development complexity increases. A developer would need to write software to bridge the two protocols, handle key/certificate creation and management, and device provisioning schemes, taking away for development efforts that could be put towards building the IoT device itself.

Overall, the CoAP over DTLS concept was very elegant, but exceptionally complex and cumbersome for mass use outside of applications that require a high level of security (such as electric/water/gas utility use), and CoAP alone was very insecure, but provided everything you would ever need for communicating with embedded IoT devices, specifically sensors. To be more specific, the CoAP protocol on it’s own was very well designed (utilizing a RESTful design which allows it to operate much like HTTP), but highly-tailored for interacting with sensor devices for reading data. While provisions were made for writing data to devices to control their sensors, this can be a dangerous thing to do when your communications are unsecured.

For the Internet of Things to truly catch on for global use, a new protocol needs to be developed that takes all of the best parts of CoAP, and expands on them to add native support for security. Until an open standard can be developed that will all devices to be secured out-of-the-box, the Internet of Things will be nothing more than a novel concept in a niche market, where there is always the fear that your device will be compromised (an excellent example of this is a case where a web-connected baby monitor was hacked in 2012, allowing the hacker to scream obscenities at a sleeping toddler. Nice work Foscam…)

As long as a new protocol is being defined and developed, the following points should be considered. The protocol should:

  • Remain lightweight, and be inherently secure by default, with the option to disable security of needed for some reason (why? I couldn’t tell you)
    • The protocol should be secured using quality encryption, but be simple to use. “Secure by encryption, not obfuscation”.
    • To remain lightweight, the protocol must be binary. Humans do not need to be able to “read” the protocol in its raw form. Plain text protocols are dead, get over it.
  • Operate at Layers 3 and above, but should fully encompass the operations of all layers in a single protocol package
    • The protocol should be flexible enough to operate over UDP, TCP, BLE, and any other layer 2 protocol without modification, and simple enough to operate over any layer 1 medium
  • Follow a RESTful architecture, supporting CRUD operations
  • Support connection-oriented and connection-less communications
  • Support commands that require responses (confirmed commands), as well as commands that do not require a response (unconfirmed commands)
  • Support both unicast and multicast communications
    • The protocol should be capable of communicating over a traditional client-server network, as well as peer-to-peer networks, such as Tor
  • Be generic enough to allow transmission of any type of data, but flexible enough to be tailored for sensor/device-related operations
  • Utilize TLV structures for encapsulating all data being transmitted in the payload
  • Utilize simple and short URIs for data I/O operations
  • Be Free and Open Source, unencumbered by patents and proprietary lockdowns which would limit growth of the protocol and IoT utilizing it

If these basic considerations are taken into consideration while the protocol is being defined, the Internet of Things could greatly benefit from the work, and finally have a common and secure base from which to start to grow. Without the development of a protocol that follows these guidelines, I fear that the Internet of Things will eventually grow into a mass of millions (or billions) of unsecured devices, all running their own proprietary protocols which are built on top of an already over-layered Internet architecture.

Like this article? Feed the developer, every dollar counts: 

5 Tips for Staying Safe Online

When it comes to using computers, mobile devices, and the Internet, it amazes me how safe people feel, and how many of those people fall victim to viruses, malware, and identity theft. While everyone seems to think that the Internet is a safe place, the truth is that the Internet is the complete opposite!

The same goes for your computers, your mobile devices (cell phones, tablets, your smart car, etc.). Anything that is connected to network of other devices can be prone to exploitation. Though the internet is not safe, there are certain steps that you can take to at least attempt to protect yourself.

1. Be Cautious, Be Suspicious

First and foremost, if you are online, you need to be cautious. It is very safe to assume that for every legitimate website on the Internet you could find, there are 50 more that look almost identical, but are designed specifically to trick you into clicking on a link to post to your Facebook, instead downloading and installing malicious software on your computer or mobile device. If you are browsing websites like Facebook, Twitter, etc. Check the top-left corner of your web browser for something that looks like this:  This simple little green lock image and “https://” text indicates that the website is being sent to you using a SSL Certificate to encrypt your data. If you click on this icon, you can read additional information about the website to verify that the website you are looking at actually matches the certificate. If it doesn’t, get out of there! It’s probably a scam.

If a website doesn’t quite look right to you, proceed with caution (or get out of there). As I said before, many websites are created specifically to look exactly like another, legitimate website. Scammers try to use these look alike websites to fool you into giving up personal information and download viruses/malware/trojan horses/etc. If you think you are looking at facebook, but the Facebook logo image the wrong color, it’s probably not legitimate. Watch out for the little details; even something like the font used for text on the webpage could be slightly off. Finally, keep an eye on the URL for the website. A domain name can only be registered to ONE person, so if someone was trying to make a fake Facebook (I’ll just keep using them as an example), they might register a website to http://www.facebok.com (notice that “book” is spelled wrong). If you weren’t paying attention, you could end up looking at the scammers website (luckily, Facebook has already thought of this, as have most other major website owners). One other sneaky trick that scammers use is to post fake links. As an example, the following link says it goes to Twitter. Use your mouse to hover over the link, but don’t click it.

Go To Twitter

While you are hovering over the link, look in the bottom left corner of your web browser. The text says “google.com”, doesn’t it? If I were a meaner person (I am, but I try to play nice), I could have easily made that link take you to the nastiest adult material you could (or could not) imagine. Just because a link says that it does something doesn’t necessarily mean that it really does what it says. Always check what you are clicking on before you click on it!

Finally, don’t be afraid to be a little suspicious while online. Does your grandmother really need your social security number? When did your cousin move to Nigeria and become a prince? When you are talking to somebody online, you are talking to an Anonymous entity (more or less); treat them as such. If something seems unusual or out-of-the-ordinary, refer back to the “be cautious” tips above.

2. Use Secure Passwords

Passwords are at the heart of security. If we don’t have some form of secret key to use to lock our data away, it could be taken as easily as taking candy from a baby (seriously, who does that?). For anyone who hasn’t already seen these tips a hundred times, here they are again:

  • Your should always use a strong password. Make it 10 characters or more in length, or use a whole sentence! Make sure there are uppercase and lowercase letters, numbers, and symbols included. If you can see it on your keyboard, you can use it in a password (so use it)!
  • Never reuse passwords! If you reuse usernames and/or passwords for all of your social sites, it only needs to be stolen once for you to have all of your social sites compromised. And for the love of computing, DO NOT use the same credentials for your public data (such as social sites) and private data (such as your bank account)!! I will repeat this: DO NOT use the same credentials for your public data (such as social sites) and private data (such as your bank account)!! One more time: DO NOT use the same credentials for your public data (such as social sites) and private data (such as your bank account)!!
  • Use a password manager application: If you take the advice of the two bullet points above, you’re going to have a lot of complex passwords to remember. Is your memory not as sharp as it used to be? Get a Password Manager application. These programs are specifically designed to remember these passwords for you, and securely store them on your computer/mobile device.
  • When possible, use Two-factor Authentication: Two-factor authentication is a way of making sure you are really you when logging in to a website. There are many forms of this, but most people rely on password+text message approach, where you enter your username and password to login to the website, and then a randomly generated confirmation code is sent to your phone, which you also have to enter into the website to prove that you are really you.

3. Use a Secure Network Link

There are multiple ways to connect to the Internet these days. All laptops and many desktop computers come equipped with a WiFi adapter that allows you to connect to a wireless network, as do most mobile phones and tablet devices. Many of these devices also have the ability to use a cellular network to connect to the Internet. Finally, there is always the good old-fashioned wired connection to a switch/router. Whatever method you use, you need to consider how secure the connection itself is.

Public WiFi is by far the most insecure connection method currently available. This is a concept commonly seen at your local Starbucks, or anywhere there is a business offering WiFi. Public WiFi is so insecure because it is, well, public, meaning that ANYONE can use it. For public WiFi to work for everyone, security measures that are normally used with WiFi connections are often disabled. Oftentimes, this means that anyone who is currently using the same public WiFi hotspot that you are has complete access to the network, AKA complete access to see any data you send over the network. In some cases, they can also see files and data stored on your computer or mobile device.

When using public WiFi (or any network connection), it is very wise to use a Virtual Private Network (VPN) connection to help secure the data you send and receive from your device. A VPN connection allows you to safely connect to a private network over a public network, and encrypts your data while doing so. This allows you to send and receive your data over a public connection securely, greatly reducing the chance that your data can be seen by prying eyes. A VPN, though secure, does not protect your PC itself. When connected to a network, be sure that you also have a firewall enabled and running on your device. A firewall is a program (or standalone device) that selectively blocks traffic to and from your device, which can be used to stop people from getting into your computer. A firewall is highly recommended to be used at all times. Under normal circumstances, your computer will already have a free firewall installed and enabled right out of the box (such as Windows Firewall), but your mobile device may not (if not, visit your device’s App Store and search for ‘firewall’ to download and install one).

4. Use Antivirus AND Anti-malware Programs

Let’s face it: at some point in time (no matter how safe you are online), you are more than likely to inadvertently acquire some malicious software. If you don’t want this to be a daily occurrence, make sure you have quality antivirus and anti-malware software installed and running at all times. Not all quality software costs money; there are many free security applications that can be very helpful. I personally recommend the free versions of AVG Antivirus and Malwarebytes Anti-Malware. When used side-by-side they do an excellent job of preventing and (if necessary) removing Potentially Unwanted Programs (PUPs), viruses, spyware, and malware.

While we’re on the topic of software, it would be good to note that the programs you run on your computer/mobile device are regularly updated by their developers, usually to fix security issues that have been found in them. It is extremely important that you keep your software up-to-date, especially on mobile devices. If you ever see an “update available” popup or notification for an application that you know and trust, make sure you install it ASAP. Warning: As mentioned earlier, scammers can sometimes create false “look alike” popups that can actually install PUPs on your devices; be sure that you inspect any update notifications and make sure they are credible before installing them. If you are prompted to install an update for a program on your device that you have never heard of, it is safer to ignore it than to install it and find out the hard way that it was not what it seemed to be.

5. Back Up Your Data

If all else fails and your device is 100% infected, corrupted, or struck by lightning, you’ll be fine, because you regularly back up all of your data, right? Wrong! From my experience, the majority of users NEVER back up their data, meaning the first time something goes catastrophically wrong, they have completely lost some or all of their personal data. Can you imaging getting infected by CryptoLocker, and having every family photo you have encrypted and held ransom, or completely destroyed?

Backing up your personal data is an extremely important step to take, and can be thought of as a contingency plan for when all else fails. Properly backed up data can be recovered in a relatively short period of time (minutes to days, depending on the volume of data to restore). There are a variety of ways to back up your data, which can be online (using a service such as DropBox, Google, or Microsoft OneDrive), or offline (using a device such as a USB thumb drive, external hard drive, or CD/DVD disks). It is good to have both online and offline copies of your data, just in case one of the two backups is unrecoverable (which does occasionally happen). Finally, if data is extremely sensitive, it is good to have what is called an “offsite backup”, which backup that is stored at a different physical location than where you really are. Offsite backups are good for times when your computer gets physically destroyed (house burns down, flood, etc.), which can be spared from being damaged themselves.

Recapping Online Safety

To sum up what this article discussed:

  • The internet is not a safe place, but you can be
  • Be cautious, be suspicious
    • No, you do not have a Nigerian Prince cousin
  • Use secure passwords
    • Make ’em long, strong, and unique
  • Use a secure network link and a firewall
    • Public WiFi is the devil
  • Use Antivirus and Anti-Malware
    • Avoid PUPs (not puppys)
  • Backup your data
    • Always have a Plan B, online, offline, or both

Like this article? Feed the developer, every dollar counts: 

Running Your Computer for Free – The Best Free Software Alternatives

In today’s day and age, there is a myriad of software, licenses, and EULAS that need to be considered when turning on your computer every day. With the recent shift to cloud-based Software As A Service, software licensing costs have been changing from a large, one-time up front fee, to a smaller monthly subscription fee, making the cost of the software look much smaller. If you really think about it, you will spend more money on software throughout your life than you ever will on the computers you own. This topic certainly deserves a blog post of it’s own, but I’ll save that for a later date.

In short, there is absolutely no reason any computer user should have to pay ridiculous sums of money every month to use the computer they already own. Enter Free and Open Source Software (FOSS).

A Very Brief History

Ever since the 1990’s (around the time that the Linux Operating System was created by Linus Torvalds), the Free Software Movement has been growing, where software developers (like myself) have been creating some very useful computer programs, and releasing them for public use at $0 cost. This software is called Free and Open Source Software, because the developer releases the software, along with the source code, free of charge, with no restrictions on use, leading people to refer to FOSS as “Free as in freedom”.

There are thousands of FOSS applications available on the internet that can be used to operate your PC. Since I’m such a nice guy, I’ve put together a list of some of the more common programs. This list should give you the basic programs that would let you operate a full FOSS environment, freeing yourself of licensing forever!

Operating System

Your computer’s Operating System is exactly that, the system that operates. Without an OS, your computer would do, well, pretty much nothing.

Microsoft Windows -> Ubuntu (http://www.ubuntu.com/desktop)

There are thousands of varieties of Linux in the world, most of which are 100% FOSS. Ubuntu, while it doesn’t really look or feel like Windows at all, still provides all of the basic tools you will ever need for personal computing.

Apple Mac Replacement -> Elementary OS (https://elementary.io/)

Anther Linux variation, elementary comes out of the box styled after the altest version of Apple iOS, making it a great replacement for those Apple users out there. While I have not tried this distro myself, it does look enticing.

Productivity Tools

If you can’t be productive with a computer, then what is the point of using one? And don’t say Facebook.. Here’s some replacement tools for the office:

Microsoft Office -> LibreOffice (https://www.libreoffice.org/)

At a cost of $70-150/year, Office isn’t exactly cheap these days (I remember when it was $200 and you kept it forever). However, you can get all of the same tools at a marginal cost of $0/forever by switching to LibreOffice. LibreOffice is an amazing office suite that usually comes installed on your linux desktop, and gives you Writer (MS Word), Impress (MS Powerpoint), Calc (Excel), Draw (vector graphics and flowcharts), Base (databases), and Math (formula editing) tools right out of the box. You’ll basically get all of the goodness of MS Office, plus some! The best part: LibreOffice can open and save in MS Office native file formats, so your documents can be used between them without a problem.

Microsoft Outlook – Evolution (https://wiki.gnome.org/Apps/Evolution)

For those of us who still use an email client, Evolution is an excellent tool that provides email, calendar, and contacts handing, with a very familiar look and feel to Outlook. For those of us you who do not use an email client, I bet Outlook had something to do with why you don’t…

Graphics Editing

Photo and video editing is a very common use for computers these days, especially with the advent of websites like Instagram, which are based around taking good pictures for posterity.Check out some of these excellent alternative applications for editing your perfect shot:

Adobe Photoshop -> The GNU Image Manipulation Program (“The GIMP”) (https://www.gimp.org/)

Photoshop has been the de-facto standard for photo and graphics editing for many years, and is an exceptional application. Once upon a time, a single-user license for this program would sell for a whopping $500, however with the move to the Adobe Creative Cloud platform, Photoshop can be used on a subscription basis at as little as $20/month. But what if you want the power of Photoshop without the bill? Enter The GNU Image Manipulation Program (“The GIMP”), stage left. The GIMP is an image and graphics editing program with the same/similar features as Photoshop, but with the outrageous price of NOTHING! Even though The GIMP is FOSS, it is still fully-featured and powerful enough that it is used by Hollywood for editing graphics on major motion pictures.

Adobe Illustrator -> Inkscape (https://inkscape.org/)

Adobe Illustrator is the vector graphics version of Photoshop, allowing you to edit SVG, EPS, and other vector with ease. Inkscape is an excellent alternative to Illustrator, giving you all the tools you need to create, modify, and render your vectors anyway you like.

3DS Max -> Blender (https://www.blender.org/)

When it comes to 3D modeling, Autodesk is widely considered the best in the market, with only one competitor: Blender. Blender is well suited to individuals and small studios who benefit from its unified pipeline and responsive development process. Want to make a game? Blender has a built-in Python API for scripting out your own scenes, giving you the power to create your very own 3D game using use one program.

Other Applications

There are thousands more Free and Open Source Software applications out there in the world that can be used to replace every facet of your computer. More examples:

Like this article? Feed the developer, every dollar counts: