The Watchdog: In computer security, you’re as good as your weakest link

The last person in the world a spammer should send a brazenly criminal email to is me. My email address alone — watchdog at dallasnews.com — has a ring of authority to it. Sure, I’m not the FBI, but my coverage beat includes idiots who do things like that.

But every day I get them. Just like you.

How about my poor friend Carol S.? Did you know that on a trip to the Philippines she was attacked by unknown gunmen? Yes. It’s terrible. She even sends me a note seeking my help.

computer

“All we need is 2,500 USD,” she writes. What American doesn’t know that you write it as $2,500? That’s the tipoff that something’s wrong — and it’s not Carol stuck in Manila.

Poor Carol somehow typed her email password into the wrong place, giving a hacker the chance to take over her account and pretend to be her to all of her friends. I bet Carol has never even been to the Philippines.

Beverly A. gets a note from her cable TV company. “We are currently upgrading Charter.net with a hard spam protector.”

The note asks for her email address and password. If she doesn’t send it, “your email account will be deactivated from our database.”

Carol isn’t sure what to do.

“I didn’t respond,” she tells me. “Should I?”

NO!

I take my computer mouse and hover the cursor above the charter.net email address the note supposedly comes from. A popup box shows the real address: a gala.net domain. Fake. But I’ve got to admire the chutzpah of someone sending a spam note while pretending to be a spam protector.

The University of Texas at Dallas sends The Watchdog an important note: “Hello, we have upgraded our old server (ODS7AT) to a new server (NWS70GZ) for better delivery service. So endeavor to update your webmail account status.

“Full name:

“Date of birth:

“NetID:

“Password:”

I hover my mouse over the address and see that it doesn’t come from utdallas. edu, but from another domain. Then I type ODS7AT into a Google search box and see the results. Scam.

– – – – – – – – – – – – – – – – – – – – – – – –

More Watchdog Nation News:

Watchdog Nation Partners with Mike Holmes

America meets Watchdog Nation/Listen to Fun Radio Interview

Watchdog Nation Debuts New e-Book and Multi-CD Audio Book

– – – – – – – – – – – – – – – – – – – – – – – –

“We are aware of scams where the UT-Dallas name is used in an attempt to obtain personal information about the recipients,” university spokeswoman Katherine Morales tells me. “While it used the UT-Dallas name, it was not distributed by UT-Dallas computer systems.”

As readers of The Dallas Morning News Dave Lieber Watchdog column first learned, the threat to personal and business computers is that it takes only one gullible person to compromise an entire network. If you knew my business password, for instance, you could instantly impersonate me to the outside world.

You could write to all the people in my contacts, as me, and ask them to download something really bad on their computers to take over their machines for criminal purposes, install viruses and remove sensitive information. Or you could ask them to send you money in USD.

That’s why I want to tell you what Tom Cochran did last month. He’s the chief technology officer for Atlantic Media, which publishes The Atlantic magazine and other publications. Before that, Cochran was director of new media technologies at 1600 Pennsylvania Avenue.

Cochran pranked employees at the company, but it wasn’t for fun. He sent everyone on staff an email asking for their password. He didn’t want them to do it. He only wanted to see who would fall for it. Bad news — 123 staffers did what he didn’t want them to do.

Cochran scolded employees in a companywide email: “Across our entire company, 58% of us clicked the email after opening it. Wow. Fifty-eight percent! With those odds, all a scammer needs to do is craft an intriguing enough subject line and they have a great chance at getting your account information. Then, you’re hacked and so is Atlantic Media.”

In the company, 67 percent of corporate staff fell for it, and 73 percent of staffers at Quartz, an online magazine, tripped up, too.

“All it takes is one stolen password and we are hacked,” Cochran continued. “Then we could have a website defaced, Twitter account tweeting false information, financial information leaked, expose your sources and a lot more.”

Cochran tells me hacking is “the No. 1 drag on the digital economy. All this fraud and fear. You’re really only as secure as the weakest link in the company.”

He adds, “It’s not that you should be scared. The tools are available.”

The main tool is two-step authentication. This is important to know. In addition to signing in with your password, more websites, especially those for financial institutions and email accounts, are offering a secondary numeric password for entry.

You don’t have to memorize it. You get that password through your cellphone as either a text or a voice message during the sign-in process. Unless a hacker has your cellphone, he or she can’t get past the second step.

Cochran is proud that at Atlantic Media, everyone now uses two-step authentication. If it’s offered, take it. Don’t ever give out your password. And if you get an email from me saying I’m stuck on the other side of the planet and need USD, you know what not to do.

Avoid scams

Marcus Rogers, Purdue University computer professor, offers these self-protection tips:

•Never give up personal information to anyone who writes or calls seeking it. Most likely, he or she is a criminal.

•Don’t be fooled by an email or website that looks real. It’s easy to make copycat sites.

•Be mistrustful. When in doubt, use the phone to check if something is real. But don’t call the phone number in the email or on the website because that could be fake, too. Get the number elsewhere.

•If someone sends you a link, don’t click on it unless you know it’s real. Call or write to double-check its authenticity.
– – – – – – – – – – – – – – – – – – – – – – – –

dmnsmalltwitter1small

wdn1smallyoutube2small

fb1smallgplussmall

Dave Lieber book that won two national awards for social change.\

Still here? Visit Dave Lieber’s other fun websites:

Personal: YankeeCowboy.com

Hipster site: DaveLieber.org

 

Pay attention to your Facebook privacy settings

Facebook, as Betty White so famously said on Saturday Night Live earlier this month, “sounds like a huge waste of time.” [Watch video here.] But it’s also a way to keep up with your friends, learn more about life around you and — wait for it — have your privacy violated or get scammed.

Dave Lieber explores Internet privacy

Facebook honchos are constantly tinkering with the site’s privacy settings. Recently, Facebook made it harder to log on to the social networking site from a strange computer or cellphone. That’s supposed to stop scammers from stealing your identity and fooling your friends into sending them money because they believe you’re in trouble.

That change didn’t come soon enough for Sergio Haynes of Fort Worth. After his pal’s Facebook account was hijacked, Haynes received an e-mail, supposedly from his buddy, giving the usual story about how his friend was stuck in London after being mugged. The friend needed Haynes to wire $1,500 via Western Union so his friend could get home. Haynes didn’t recognize the popular scam.

“He’s my buddy,” Haynes remembers thinking. “I know he’s good for the money.”

So he sent it.

Only later did he learn that his friend wasn’t in London, didn’t get robbed and didn’t receive the money.

This scam has happened hundreds, if not thousands of times. [Read my earlier Dave Lieber column on this scam here.] Finally, Facebook announced this month that it is doing something about it. The site has created a new feature that notifies users when someone tries to access their account from a device the user doesn’t generally use. Users will receive a warning e-mail or text message.

Facebook will double up the new security check by asking the user on the strange device to identify a birth date or name a friend in a photo.

How does a Facebook account get hijacked? I’ve found two of the most common ways are to leave Facebook open on your computer and not log off, allowing someone else to take over.

The other way is by responding to an e-mail that alerts you that someone is inviting you to join in or look at their photos. To do so, you have to type your user name and password to gain access. Only the e-mail is a fake and the hacker captures your personal log-on information. So it’s best to log on to Facebook at the site itself, not through an e-mail.

But Facebook’s privacy problem goes far deeper than hackers. The company has begun experimenting with ways to make more money by making your information available to third-party Web sites. Facebook has done so much tinkering with its privacy settings in recent weeks that confusion among users is the norm. There are 50 different settings with 170 options. That’s a lot of button clicking to protect yourself from the prying eyes of others.

The New York Times recently created a chart of the privacy settings that was so complex it was nearly indecipherable. The outcry over the complex settings prompted Facebook’s chief of public policy to announce Tuesday, according to the Web site Mashable.com, that, “We are going to be providing options for users who want simplistic bands of privacy that they can choose from, and I think we will see that in the next couple of weeks.”

The ultimate way to protect your privacy on Facebook is to edit what your friends can share about you to complete privacy and set your activity so that only you can see it. Go to “Applications and Websites” under privacy settings and limit them, too.

When Facebook does changes its privacy settings again, pay attention. Facebook shares information about its latest activities at blog.facebook.com.

One problem to watch: Many privacy features require you to opt in rather than opt out. By default, your information is public. So if you do nothing, you may have no privacy at all.

###

Facebook privacy

Access your security settings by going to “Account” in the upper-right hand corner, then select Account Settings and Privacy Settings.

Keep outsiders from logging into your account by going to Account Settings, then Account Security and change No to Yes for alerts of strange devices trying to access your account.

ReclaimPrivacy.org offers a handbook to help you understand privacy settings.

Create a second or “junk” e-mail account using a free service such as gmail or yahoo or hotmail to protect your real e-mail address from spam and hackers.

Learn more at lifehacker.com by searching for “Facebook privacy.” Visit the Electronic Frontier Foundation at www.eff.org/.

# # #

Dave Lieber, The Watchdog columnist for The Fort Worth Star-Telegram, is the founder of Watchdog Nation. The new 2010 edition of his book, Dave Lieber’s Watchdog Nation: Bite Back When Businesses and Scammers Do You Wrong, is out. Revised and expanded, the book won two national book awards in 2009 for social change. Twitter @DaveLieber

Dave Lieber's Watchdog Nation book won two national awards for social change.