The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse

THIS BOOK IS ALREADY

OUT OF DATE

(AND THAT’S OKAY)

Every day there seems to be a new story about cybercrime: millions of credit cards stolen, private celebrity photos leaked, foreign agents interfering at the highest levels of government. It’s hard for even the best-informed reader to know how much of this is real versus scare-mongering clickbait, and how to react regardless. Sadly, many people either become so paralyzed by fear that they vacillate between different strategies for too long/ Conversely, some decide it’s all too much and try to ignore the topic completely.

The thing is, each of us is utterly reliant on cybersecurity in ways both obvious and unexpected. As a police officer, I’ve brusquely knocked on the door of the suspect in a cyber case only to find a 78-year-old retiree, innocent of anything but a yen for some specialized, icky, but legal pornography. Our man made a rookie mistake by going for the free icky-but-legal porn, unaware of the first rule of the web: if you can’t figure out how someone makes money on a site, you’re the product. Criminals had planted malware in his naughty movies and were renting cyber scammers remote access to his computer, unbeknownst to him.

Some of the hacks we describe will be old news tomorrow. Some will take on new and more insidious forms. And something new will pop up every time you turn around. That’s okay—this book gives you the tools you need to understand what your digital footprint looks like to criminals, advertisers, investigators, and governments, and how to figure out and fix your vulnerabilities even as the specific threats change.

We can’t tell you everything that might happen to you—some of next week’s threats are being cooked up right now in basements and labs from Missouri to Moldova. But we can tell you how to reduce your risks no matter what. Security experts like to talk about OPSEC (operational security). And OPSEC is OPSEC—today and forever. It’s not about specific dangers, it’s about a mind-set of preparedness.

Understanding your digital universe and the consequences of your actions will reduce the things that can make you a victim, without your having to miss out everything the internet has to offer. This book will help you better understand the kinds of threats out there, and give you the tools and perspective to protect yourself. The rest is up to you.

NICK SELBY

ALSO, THIS BOOK WILL

FREAK YOU OUT

(AND THAT’S ALSO OKAY)

To put it simply, you’re in danger. Your identity, your bank accounts, your kids, and even your government are vulnerable to attack from cyber criminals around the world. That should freak you out. But this book is much more than a collection scary stories (although it’s that too). It’s also a toolkit for protecting yourself and your data in an increasingly dangerous online world.

The digital age has given us a dazzling array of products and services at our fingertips, but also created new and often unexpected problems. Security technology will continue to get better—and criminals will keep finding new ways to get around that technology. That’s where we come in.

How to get your head around security in the modern age? Most people want to know first and foremost how to avoid getting hacked. That’s the wrong mindset. It’s almost inevitable that you’re going to be hacked at some point in your life online.

Start with the assumption that even the most secure technologies are vulnerable. There’s an ongoing war between criminal hackers and security experts, and that’s not going to change. The only way we can win is to assume everything will be hacked, and take precautions to secure what is important. If you expect this inevitable hacking of your security systems, you will be able to understand the risk factors and monitor your security on an ongoing basis. You’ll know the places you are vulnerable and be able to take appropriate precautions.

How to know which are the appropriate precautions? That’s easy. Read this book! Many of the vulnerabilities enumerated in this book can be dealt with relatively easily, once you have the know-how. You don’t need to have the most secure system, just the best one for your needs. Not sure what those are? We’ll help you figure that out.

In a sense, hackers, in their own way. Every time they break a system, we learn something new about its vulnerability, and how to make it more secure. I personally look forward to the new and exciting ways hackers will point out the limitations of each new technology. I just don’t want them learning on you!

HEATHER VESCENT

Your bank account is suddenly, mysteriously overdrawn. Everyone in your address book gets a desperate email from you asking for money. You fail what should have been a routine background check. Your TV starts getting unusual error messages. What’s going on? Cybercrime can, quite literally, hit you where you live—and it’s getting more common all the time as our lives get more connected and hackers more sophisticated. The chapters that follow tell you what to do when Internet bad guys make it personal—stealing your identity or your money, invading your privacy, bullying your kids, or even threatening your life. We also highlight some unexpected vulnerabilities in your smart phone, your browsing habits, and your household appliances, as well how to keep your personal information safe and secure.

CHAPTER 1

KEEP YOUR

IDENTITY SAFE

IDENTITY THIEVES CAN BUY, SELL, OR CAPTURE YOUR IDENTITY AND USE THE INFORMATION TO GET MONEY AND SERVICES`—OR USE YOUR NAME, CREDIT RATING, OR INSURANCE TO TAKE OUT A LOAN OR GET FREE MEDICAL CARE.

There are myriad ways for the bad guys to get your information and use it for all sorts of nefarious purposes—mainly, stealing your money, although occasionally for other kinds of fraud or to cover their tracks when committing additional crimes. That’s one of the big reasons identity theft can be so devastating. If a criminal steals your credit card information, your bank will likely refund you the money that was lost. If the same criminal impersonates you to run an international child pornography ring, however, then your problems just got a whole lot worse… especially since many law enforcement folks aren’t up on the latest types of cybercrime, so that wasn’t me might not go over well.

How does it happen? We’ll examine the many methods of identity theft in the pages that follow, and we’ll also show you how you can protect yourself from being a victim or fight back if you already are. The methods of ID theft range from the seriously low tech (such as digging through your trash for unshredded financial documents or stealing those new credit cards that the bank sends you unexpectedly) to sophisticated database breaches and other hacks staged half the world away by large crime syndicates to fund cyberterrorism operations.

AMERICA’S FIRST IDENTITY FRAUD Philip Hendrik Nering Bögel had some financial problems, and he was a creative thinker. So in 1793, when things got too hot for the Dutchman (who was wanted for embezzlement at the time), he did what any forward-thinking identity thief would do today: He hot-footed it out of the Netherlands, setting forth on this continent a new city, conceived in parsimony, and dedicated to the proposition that Bögel deserved better. Calling himself Felipe Enrique Neri, Baron de Bastrop, Bögel started being awfully helpful to early Texas leaders Moses and Stephen F. Austin in obtaining land grants. After being named Texas land commissioner, Bögel came to settle a Texas city that he named after himself. Today, visitors to Bastrop, Texas, population 5,340, can celebrate how America’s earliest successful ID fraud operation netted one guy a whole city.

T/F

MY IDENTITY ISN’T WORTH STEALING!

FALSE Attackers are smart, and they seek the easiest path to their ultimate target. Often, that easiest path runs through your computer is you. You may say, I just have photos of my grandkids on my hard drive. But your machine is connected to the internet, making it a target. Hackers can hijack your computer and join it into a secret global network for spam, attacks on other computers, and more nefarious activities. While they’re at it, they might just steal your banking information as well. It is also not unknown for hackers to destroy a computer, so that even those family photos that are priceless to you, while worthless to others, end up lost with the dead computer.

MANY TYPES OF IDENTITY THEFT Criminals impersonate you online for a range of different reasons and in a variety of ways. For cyberstalkers (see pages 50-51 for Amanda Nickerson’s story), the impersonation is usually part of a larger cyberbullying effort. But in most cases, the motivations are financial. Whether it’s designed to get bank cards or bank loans in your name, obtain credit in your name, or impersonate you to use your existing credit, identity theft is usually a gateway cybercrime—an initial act, atop which lie other criminal schemes. So really, identity theft should be thought of as a family, or a category, of cybercrime.

Even though it’s common for victims to be reimbursed by banks or credit card companies, the damage done by ID theft can affect you for years. Your credit score and history are the main ways that banks, car dealers, and other lenders determine the risk of extending you credit, and the black marks can be hard to erase.

A Taxing Scheme One of the fastest growing crimes in America is tax return fraud, which can net identity thieves thousands of dollars for each successful impersonation they make to the IRS. The criminals get hold of your Social Security number and personal information, and then create a tax return in your name that shows a modest overpayment on your part. The return is filed online using software, and within days, the IRS sends out a refund to you—at the address given by the thief. The refund is typically made using prepaid Visa cards, which can be easily exchanged for cash or property.

FORMS OF IDENTITY THEFT

Fraudsters don’t just steal your driver’s license or credit card. They’ll take your whole identity and make use of any part they can.

CASE STUDY

STRANGERS WITH CANDY In 2004, some InfoSec folks did a little experiment in which they offered passersby on the street a candy bar if they would tell them their work logins and passwords. To their surprise, some 70 percent were willing to part with the information—half of them did so even without the chocolatey bribe. You’d think that would have been a wake-up call. And indeed, governmental agencies and private-sector companies spend millions of dollars on training to make employees aware of proper security procedures and how important it is to follow them. How’s that going? Well, when the experiment was repeated in London in 2008, there was no difference.

Whether the reasons are cultural or technical, the fact is, people are just really bad at keeping their passwords secret. They just don’t take it seriously. What’s even more galling to those who work with companies and individuals to improve security comprehension is that your password is still taken literally. By which I mean that most people to this day use just one password for many or all of their accounts—and a weak one, at that (see page 28 for more on creating a secure password).

You might think that this problem would have already been solved with the creation of password manager apps, which significantly reduce the toil and trouble of thinking up (let alone remembering) strong new passwords, such as the ever-popular 98cLKd2rh29#@36kasgJ!. Plus, the programs are easy to use and can automatically change the passwords for all your online accounts.

So in 2016, when a security consultant decided to try the chocolate bar trick again, this time staging it as a contest in which the person with the best login and password would win prizes ranging from candy to a bottle of Champagne, he finally got different results: They were even worse than before.

SECURITY BASIC

GUARD THOSE DIGITS You should think thrice before handing over your Social Security number (or, outside the U.S., your national identity number), even if a legitimate office is requesting it from you. This number is a universal identifier, and you’ve probably been asked for it multiple times a year, every time you open a bank account, take out a loan, or verify your personal information. It always pays to think about why it would be needed and to refuse to provide it unless it is absolutely necessary. If you’re paying cash, never give out the number. I would rather put down a $75 deposit to get electricity or phone service than provide the utility company with my Social Security number—plenty of utilities have been routinely hacked, and ID theft in America thrives on this ubiquitous identifier. If the service provider doesn’t need it, don’t provide it to them.

TRUE STORY

TINFOIL HATS It’s a common joke that some people are so paranoid, they line their hats in tinfoil. Funny thing? That might not always be such a bad idea.

There are many ways to conduct data theft, and some of them do rely on secret transmissions. The best (or, at least, one of the coolest) examples of this was the Soviet hack against IBM Selectric II and III typewriters in the 1970s. About fifteen of these were used in the U.S. Embassy in Moscow and the consulate in Leningrad, and were modified by Soviet spies to contain a device that measured the magnetic disturbances generated when the little Selectric ball swiveled. Each letter, it turned out, had its own signature. By implanting a receiver in the walls (the buildings were, of course, built by Soviet contractors), the government could see the very pages of documents as they were typed up.

HOW THEY DO IT Criminals engage in obtaining identities to exploit in a range of ways, from low-tech to Secret Squirrel. Once the most common method of identity theft, paper or wallet theft is still popular, but now it’s a small-time operation. Still, someone lifting your wallet and using your ID and credit cards can do a fair bit of damage. Similarly, ID theft can occur when people rifle through your trash and find bank statements and other bills with account numbers, balances, and dates. These specifics allow thieves to call those vendors and report your cards as lost, change your address, and have replacements mailed to them.

Other schemes to separate you from your identity run the gamut from physical theft of personal documents from service providers to breaking into a computer network specifically for the purpose of stealing data. Another popular method is phishing (see page 24).

But of course, the most common method of stealing identities is to do so en masse in a large-scale breach of a retailer, bank, insurance provider, or government agency. This gives criminals the biggest bang for their buck and the largest number of targets. See the chart on the facing page for more information about how this works.

One Step Ahead of the Law It is very difficult for authorities to prevent or successfully prosecute identity thieves. Because much of the fraud can be done at a distance and by using online tools, catching the criminals in the act is difficult. What’s more, with the global nature of the internet, the criminals don’t even have to be in the United States to commit these crimes. And, finally, ID theft can go on for some time before a victim is even aware that it has happened.

HOW MIGHT YOU BE VULNERABLE? The vast multibillion-dollar cybercrime industry can be divided into three basic categories, each with its own objectives, although at the end of the day, the result is the same: You’ve been had. Understanding the differences, and what happens at each stage of the game, can help you stay safe. Here’s how these crimes roll out.

KEY CONCEPT

WHY IS IT CALLED PHISHING? Phishing is a term used to describe some of the most widespread and effective methods for obtaining information online. The term itself is a mash-up of two words—fishing and phreak. The fishing part is just what you’d imagine: to fish for victims or data by using electronic bait, hooking victims, and reeling them in—an obvious and accurate metaphor for the act itself. The alternate spelling is a nod to the pre-internet practice of telephone-system hacking known as phone phreaking, done by phreaks. This is related to another hacker practice, called ’leet speak, which substitutes numbers for letters and some letters for others to create an often goofy insider jargon. It’s quaint today, but you will still see versions in chat rooms, as hackers somewhat jokingly refer to one another as 133t H4×0r5, or elite hackers.

TEACH A MAN TO PHISH Phishing isn’t one specific thing. Rather, the term is used for a wide range of methods designed to gain access to your information. Understanding what those methods are, along with the basics of how they work, is central to both recognizing and avoiding many of the risks you face online. So before we go any further, let’s do a quick overview of the many types of phish in the sea and the ways they can bite. Here are three common methods that these criminals will try when going after your data.

Voluntary Disclosure The first method is diabolically simple: Attackers use a rich mix of psychological techniques, known collectively as social engineering, to get you to give up the goods, essentially conning you into giving away the information that they want. People are generally trusting, and it’s amazing how much information the average person will give up simply because someone happened to ask them in the right way.

Malicious Attachments In these cases, computer users are tricked by some compelling message into opening a poisoned email attachment, which then installs malicious malware on their machine, thus giving the hacker access to their computer or network. These masquerade as documents that the users requested, photos they just have to see to believe, and the like.

Malicious Links Because many email systems can now block out malicious email attachments, some attacks will use malicious links to drive the user to an infectious web page instead. Most people are so accustomed to clicking on links almost automatically that this technique is highly effective. Most of these links are disguised to boot—an image in the email with a logo or a line of text displaying an address or site to visit that is actually a cover for a malicious web address which a hacker has set up for just this purpose.

TYPES OF PHISH There are a lot of phishing schemes in the sea. You’ve probably been exposed to at least a couple of the examples listed below—and hopefully you didn’t fall for them, although if you did, you’re one of millions of people who have. Using the information below, you’ll be better able to spot these scams and steer clear.

TYPE OF SCAM

CLASSIC PHISHING

HOW IT WORKS

A fake website spoofs or closely resembles a real one, into which users enter their access credentials, identity data, or other sensitive information.

SPEARPHISHING

HOW IT WORKS

As the name would imply, this is a highly targeted attack, often designed to victimize a small, specific group or even one individual, using highly personalized messages that may be the result of hours or even weeks of online reconnaissance on the target.

WHALE PHISHING

HOW IT WORKS

The spearphishing of a high-profile or high-value individual, such as a CEO or celebrity, that is, a big fish or whale.

CATPHISHING

HOW IT WORKS

The use of fake online personas or profiles to create a phony emotional or romantic relationship, either for financial gain or access to sensitive information.

VISHING/SMISHING

HOW IT WORKS

Scams or data thefts that leverage phishing-like techniques but target phone users over voice lines or SMS.

IF YOU’RE ENTERING PERSONAL DATA ONLINE, TYPE THE ADDRESS YOURSELF AND CONFIRM THE SITE IS SECURED WITH AN HTTPS PREFIX AND A CLOSED-LOCK ICON.

T/F

PHISHING EMAILS ARE EASY TO DETECT

FALSE A lot of people believe that they can easily tell when they’re being phished through email. But more and more often, scammers are crafting messages that appear to be from a legitimate source, such as your bank or your Amazon or eBay account, complete with a full page of images and icons from those sites duplicating a genuine email—but secretly redirecting an unsuspecting user to another site. You