Category: Uncategorized

Do you use read receipts?

Posted on by Griz
Why Read Receipts Can Be a Double-Edged Sword

Read receipts, those seemingly innocuous notifications that inform you when someone has read your message, have become a common feature in our digital communication landscape. However, beneath their unassuming appearance lies a complex web of emotions, social dynamics, and privacy concerns. Let’s delve into why read receipts can be both a blessing and a curse.

  1. Privacy Concerns:
    • Read receipts invade the recipient’s privacy by revealing when and how they interacted with the message. Suddenly, your private communication becomes a public record, visible to the sender.
    • Imagine this: You receive a message late at night, but you’re not in the mood to respond immediately. The sender sees that you’ve read their message, and now there’s an unspoken expectation for a swift reply. Privacy boundaries blur, and you feel pressured to engage.
  2. Social Pressure and Expectations:
    • Read receipts create social pressure. When someone sees that you’ve read their message, they assume you’re available and waiting for a prompt reply.
    • The instantaneous acknowledgment of receipt triggers the expectation of an equally swift response. But life doesn’t always align with digital timelines. Maybe you’re busy, need time to collect your thoughts, or simply want to respond later. The pressure mounts.
  3. Misinterpretation of Silence:
    • Silence doesn’t always mean disinterest. Yet, with read receipts enabled, the sender may interpret your lack of immediate response as indifference.
    • The psychology behind read receipts often leads to feelings of rejection. When you see that someone has read your message, you assume they should respond just as quickly. But life’s complexities don’t always allow for instant replies.
  4. Email Read Receipts:
    • Email read receipts have their own quirks. In the past, you’d receive a pop-up requesting confirmation that you’d opened an email. However, this method has waned due to secret tracking pixels embedded in emails.
    • These tracking pixels, prevalent in marketing and personal emails, silently report back to the sender when you’ve opened the email. Privacy advocates frown upon this intrusion.
  5. The Love-Hate Divide:
    • A 2017 study revealed that around 55% of Millennials and teens use read receipts on their phones. People are split on the issue.
    • Some love read receipts for the peace of mind they bring. Knowing when someone has read your message provides reassurance.
    • Others despise them. They find read receipts stressful, invasive, and perhaps even passive-aggressive.

In conclusion, read receipts are like a double-edged sword. They offer transparency but sacrifice privacy. They create expectations but misinterpret silence. Whether you love them or loathe them, one thing is certain: read receipts have left an indelible mark on our digital interactions12.

As a bonus point for those of us that are subject to random urine analysis as part of our employment, when that email arrives telling us that our number came up, we have two hours form when the read receipt is triggered to provide our specimen. Yay fun huh? so if there is no receipt sent, we can enjoy our coffee to provide a better sample.

Just how much data do you volunteer in social media?

Posted on by Griz

Most of us spend a great deal of time on social media in one form or another. I know that I do for a myriad of reasons. I seek entertainment, spreading humor, gather information, keep up on the daily news that I need to go fact check to make sure I am getting the truth, and even run a micro home business.

We know that we are giving up data to the social media host of course as we provide information in getting the account.

To use Facebook as a generic example (you can really use any social media platform for this discussion.) it will only take a few minutes of scrolling in your ever growing feed to find your self participating in fun interactive memes and discussions.

Have you seen the memes that ask what was the number one song the year that you were born? Well many of us are aware that one of the common security questions is “What was the first concert that you went to?” Oh, so many fall for that one every hour. Even with the wise commenting that it is a security question… sigh, so I and other that are like minded like populating the answers with smart alec responses to pollute the data that the scrapers are gathering.

For all intents and purposes scammers can either post those memes to directly get the responses or they can just pull data in from other people’s posts as long as they can read them. the data that they want? well it could be anything.

Here is where I am starting to take the discussion to help you learn something important. Something that many do not consider. We will call it a value add for your reading this far and actually caring.

Let’s suppose that instead of being a white hat (at least mostly white, or white by day and maybe some shades of gray after hours) cyber professional working for the betterment of humanities cybersecurity… I am a black hat who had relocated to a nation without an extradition treaty with the United States. Why would someone want to do that? Well with black hat cyber skills it can be lucrative and here is a possible option.

Set up a nice server room with a very comfy desk or recliner. Learn how to build databases. They are not hard to learn, they do take forethought to build them effectively to house enormous amounts of data.

At this moment it is very likely that your username and password has been compromised in some data breach in the past. (there are scam emails that rely on this data, I think I have described it in the past) There are places on the web that you can find repositories of usernames and passwords that were stolen and posted for others to use. Sometimes it is free to download and other times, it is for sale.

If I take a few of the free collections, I can add that to my database (think of it as an excel spreadsheet on steroids). Perhaps the file had email addresses and passwords. The low hanging fruit would be to try to access the accounts since so many rarely change their passwords. If I can get in, I might download all of the email and examine it for other data such as your name, location, family members pets, think of all that you have sent in emails. Each of those items get added to the database.

Remember that the initial data gathered was free. Perhaps it COULD have been sold but not for much. The price would be in cryptocurrency so that it is less trackable or at least harder to track. Do not let people make you think that it cannot be tracked, that is movie madness. Maybe you started with 1000 email addresses and passwords.

So you started with 1000 usernames and passwords, and after a few hours of login attempts, perhaps you used a testing script to complete the tests in fifteen minutes. You ended up with the passwords of 100 poor suckers who never change their password. To be very honest, I think that there will be more due to password reuse [link]. So now you have a new table with known good email accounts.

When I was doing ISP tech support, I frequently heard “It is just dumb email, if someone want to get my recipes or bad jokes form my family, they can have them.” Oh, my… what a treasure trove. A few paragraphs ago I mentioned the kind of data gathered from a live email account. So now your tables have linked the person’s name with the email address and if there are signature blocks, perhaps street address, city, state, country, phone number. If you wanted to sell that data, its value has gone up a little.

With all that email that you downloaded, you also identified family members. Those records get copied to another database, this one to use for trying to scam the users family members out of their money as they pay to get bail, medical attention, bail, or who knows what ploy they will use for their deception? Now I have two databases to sell.

Now I try to see if I can log into your social media accounts using those email addresses and passwords. Maybe I am able to get access to fifty of those one hundred? why so many? well, remember that they are already password reusers, so why expect that they will be better with their social media accounts?

Think of your social media account and how many friends that you have there. More data to feed into the master database as being connected to the victim. I do some scrolling through the feed and I see that they identified their first job (clickety click into their records) and their first car was a 79 Celica ((clickety click into their records)… oh look their profile shows that they graduated from Gullible State University in 87. You guess it, (clickety click into their records). This person’s record keeps getting more to it and each added element makes it more valuable. I find more and more family, job history, favorite sports teams. Have you recognized how many security questions may be answered with this data? I may have enough gathered data to try logging into the victim’s bank account, or even open a line of credit after all I know the answers. If I can get into the bank account, think of the transactions I can make. I could buy cryptocurrency online and trade it back and forth through a myriad of wallets or other transactions to make it difficult to track it back.

Now that I have stolen the victim’s money, I can use it to purchase more equipment, or buy more ill gotten data to add to my database, always seeking to build it for a better sale price. When you have thousands of live and accurate records with a ton of supporting information that price tag keeps going up. Remember that when selling data, you sell it over and over. There is no physical inventory to run out of.

Maybe my database was only worth 20 bucks per copy since it was small, but with a little knuckle grease (remember, just typing not actual elbow grease) I improved the data to be worth $500.00/copy.

Remember that there was the second database for scams? I can use AI voice tool to make convincing replicas of the victims loved ones if I can get a sample of their voice. Maybe I called them to a bogus survey to get that sample. Now I can call their mother, using that replicated voice to convince mom that I need bail money. Pick a scam there are thousands of variations.

Since I have all of those email addresses stored from getting into those mailboxes, I can add them to a third database to use for phishing emails. Just spray those email addresses and any other email address that I can collect from the web. Someone running a phishing campaign generally only needs a 1% win rate to stay profitable. (Please for all that you care about watch for red flags and do not fall for these emails) Does your employer have an email contact directory online? Perhaps and org chat that shows the person, their name, email, and maybe their desk phone? (clickety click into their records) yes more tables, with even more data. Those company based records got into another database. they may be handy for other types of attacks. Surveillance phases perhaps to see if I can gain access to the corporate network to obtain yet more data. If I can get into the HR systems, will I find social security numbers nicely paired with all of the other employee data? Some days it can be too easy. Maybe I can access the networked printer in HR. Most modern printers are just computers that print. They have hard drives. Is your corporate printer also a scanner, perhaps used to scan driver licenses and social security cards to process an I-9 form for the IRS? Yeah, there is a hard drive that stores that data in the scanner/copier that might be nice for me to get in to. Driver licenses…. yep, you guessed it…. (clickety click into their records) This data is getting quite valuable now.

With all of this data and being connected to family members… I wonder if I found any adult oriented associations or proclivities during my hunting. [In my profession, I once stumbled onto an employee that I did not know personally soliciting prostitutes via his email.] Now if the victim is not worried about intruders in their email box, this information could be used to blackmail them. How much would they pay to not have all these sordid details posted online? Or how much to prevent their significant other from getting a phone call? Just transfer a certain amount of crypto currency to me and I will delete your record. I wont really delete the record, but I will mark it as used. I will still sell it to others for their use as they see fit.

It isn’t just the big companies that make a killing off of you playing on social media, it is criminals world wide. This is one of the reasons that cyber professionals are well compensated. With what I understand and can do, I would be quite dangerous if I retired overseas. I am here teaching you how to protect yourself. It is where I get my reward, that and any ad clicks that happen in appreciation. Money is good, but as long as my family is housed, clothed, fed, and loved by our dogs… then I am happy.

If you came away with nothing but an understanding of how those silly meme games sneak valuable data out of you then it is a positive step. Stop and think before you reveal personal information. It does not take much to turn it into Personally Identifiable Information.

The Human Firewall: Your First Line of Defense

Posted on by Griz
Imagine your workplace as a grand castle, fortified with walls, moats, and watchtowers. But amidst all the stone and steel, there exists a vital yet often overlooked defense: the human firewall. This invisible shield is composed of every employee—the knights, scribes, and jesters—who interact with the digital realm.
  1. Vigilance and Awareness:
    • The human firewall is not impervious; it thrives on vigilance. Every click, every link, every attachment—these are potential gateways for cyber threats.
    • Employees must be aware of the dangers lurking in their inboxes. Phishing emails disguise themselves as friendly missives, urgent notices, or enticing offers. But beneath the surface lies treachery.
  2. Phishing: The Cunning Deception:
    • Phishing is like a shape-shifting sorcerer. It masquerades as a trusted entity—a colleague, a bank, or even a mythical prince seeking your aid.
    • The bait? A seemingly innocent link or attachment. Click it, and you unwittingly open the castle gates.
  3. The Art of Suspicion:
    • Train your eyes to spot the signs. Is the email unexpected? Does it create urgency? Does it ask for sensitive information?
    • Beware of misspelled domains, odd sender addresses, and requests for passwords or financial details.
  4. Reporting: Your Noble Duty:
    • When you encounter a suspect email, don your armor of responsibility. Report it promptly to your castle’s cybersecurity guardians (usually the IT team).
    • They will investigate, trace the dark magic, and thwart the threat. Your vigilance could save the kingdom!
  5. Collective Defense:
    • Remember, the human firewall is not a solo act. It’s an ensemble—a symphony of cautious clicks and wary glances.
    • By reporting, you protect not only yourself but also your fellow knights and jesters. Together, you form an unbreakable chain.

Reporting Suspect Phishing Emails: A Heroic Quest

Now, let’s embark on a quest. Imagine you receive an email from “PrinceNigerianScam@notascam.com.” The subject line reads, “Urgent: Inheritance Awaiteth!” The prince claims you’re the long-lost heir to a fortune. All you need to do is send your bank details.
  1. The Call to Action:
    • Pause. Breathe. Channel your inner hero. You suspect foul play.
    • Click not the link! Instead, wield your mouse and report the email.
  2. The Reporting Ritual:
    • Seek the “Report Phishing” button (it’s usually a shield or a flag). Click it.
    • Describe the email’s malevolence: “Suspicious sender, dubious inheritance, smells fishier than a mermaid’s lunch.”
  3. The IT Wizards:
    • Your report flies to the IT wizards. They decipher its runes, analyze its hexes.
    • If it’s indeed a phish, they cast counterspells—blocking the sender, fortifying the castle.
  4. Your Legacy:
    • You’ve done it! You’ve thwarted the sorcery. Your coworkers cheer, “Huzzah!”
    • Your legacy? A safer castle, a stronger human firewall.
Remember, dear knight of the digital realm, your vigilance matters. Each reported email strengthens the castle walls, shields the treasury, and keeps the dragons at bay. So, raise your virtual sword, and may your inbox be forever free of phishing spells!

Credential Stuffing

Posted on by Griz

I know that you must get quite tired of hearing about your password. We tell you to keep it strong, use multi-factor authentication, blah blah blah…

We often hear the same kinds of responses back, but it is just my email… I have nothing of interest in there. Yes, we know… and we sympathize. In the end we are just trying to help you. I have had other posts about the significance of strong passwords, I have talked about password lockers/services.

Lets talk about a different direction. Credential stuffing. Now, I am going to admit that the phrase was one that I had seen, but never looked into. As you can imagine, in my role, I encounter a ton of new terms and phrases and often do not have to time to keep up on them all. I will try to do a better job of selecting one and sharing it with you so that you can get nuggets of skills along the way with me.

When we have talked about passwords in the past, I have mentioned that when companies have their networks get breached and data is stolen, sometimes that data is our personal data, but sometimes it is our username and passwords.

Since we on the whole (myself included but I am getting it fixed) are horrible for password reuse, this makes credential stuffing a danger.

So Mr. Blackhat gets their hands on a data dump, they then build a spreadsheet with your email address(es) and the password(s) that you have been known to use. Since the majority of the United States banks at one of a few national banks, they start testing to see if they can log in. if they can… great!

Fortunately banks are getting smarter and are pushing us all to more secure login methods. If you bank is behind the times, AND you use one password all over the internet, you may well become a victim.

I wish I could tell you how many times I have seen “my [social media account] got hacked”. They were probably not hacked at all. they likely either fell for a credential harvester scan, or… were reusing their social media account password on other services that were compromised.

This brings us back to the common pleas of the cybersecurity professionals. Please, PLEASE, use strong and unique passwords and when you are able to, enable multi-factor logins. Yes, it is that important, unless you feel that donating your funds to who knows what country is a suitable form of charity work, one that you cannot even deduct form your taxes.

Why is it dangerous to click on a random QR code?

Posted on by Griz

Scanning a QR code itself is not inherently dangerous. QR codes are widely used for various purposes, such as providing information, accessing websites, making payments, and more. However, there are certain risks associated with scanning QR codes that can make them potentially dangerous if caution is not exercised. Here are a few reasons why scanning a QR code can be risky:

Malicious codes: QR codes can be designed to contain malicious content, such as links to phishing websites, malware, or other harmful exploits. Scanning such a QR code can lead to your device being compromised, personal data being stolen, or unauthorized access to your accounts.

Fake QR codes: In some cases, attackers can create counterfeit QR codes and place them in public spaces, on advertisements, or even on legitimate products. These fake QR codes can be used to redirect users to malicious websites or trick them into providing sensitive information.

URL masking: QR codes can hide the actual destination URL of a website or an application. Scammers can exploit this by creating QR codes that appear to be harmless but actually lead to malicious websites. This can be used for phishing attacks, where users are tricked into entering their login credentials or other personal information on a fake website.

Malware-infected apps: Scanning a QR code might prompt you to download a mobile application. It is essential to be cautious about the source of the app, as it could potentially be infected with malware or have malicious intentions. Unauthorized app downloads can compromise your device’s security and privacy.

To protect yourself while scanning QR codes, consider the following precautions:

Verify the source: Ensure that you trust the source of the QR code before scanning it. Be cautious with codes in public places and advertisements.

Use a reputable scanner: Install a reliable QR code scanner from a trusted source. These scanners often have built-in security features that can detect and warn about potentially malicious codes.

Examine the URL: Before scanning, take a close look at the URL displayed after scanning the code. If it seems suspicious or different from what you expected, it’s better to avoid visiting the website.

Be wary of requests for personal information: Avoid entering personal or sensitive information on websites or applications accessed via QR codes unless you are certain about their authenticity and security.

By being vigilant and exercising caution, you can minimize the risks associated with scanning QR codes.

OSINT and leveraging the internet to your favor

Posted on by Griz

More than likely even if you do not know the term OSINT, you have used it. If you have dated modern women, it has likely been used against you.

OSINT is open source intelligence. Have you ever “Googled” someone or yourself? Then you have used OSINT. Open source intelligence is using any publicly available information to gather information about a person or organization.

The reason for your search will determine what tools are best for you. Sometimes it is any number of search engines like Google, Dogpile, Bing, Duckduckgo, etc.

When my daughter started dating, she cautioned at least some of the guys that they would be background checked. Now some parents may pay for these name check sites, but my wife and I have learned to use OSINT and do the digging for free. I was able to find stuff that one of the guys did not even know existed (or wouldn’t fess too as he was a crap fest). Once you have gathered your notes form the basic web searches, you can start in with the local civil and criminal courts. I am in Washington State where we have some good searchable resources open to us. Check your area to see what you have access to. Use your own name to see what can be found (without being in law enforcement). You can piece together a fair idea of their character. Are they a felon? perhaps a sex offender, or just a ton of civil cases for not paying bills etc. You could find bankruptcies, evictions, or simple disputes. Some of these results will require a trip to the court house to get more details that are all in the public record. Leaving home may not be technically OSINT as you may have to pay for access to the data.

As you start your adventure into OSINT, I hope that you bookmark the best sites that you find. As you practice, you will go back to those favorite sites and become better with your search patterns. Before you know it, you will be a world class information excavator. (see also, the skills of a suspicious wife/girlfriend)

Remote Access Scams

Posted on by Griz

It always takes me by surprise when I hear of friends and acquaintances who have permitted email contacts of phone callers to have remote access to their systems.

We spend a great deal of effort to safeguard our networks and systems. We protect against hackers, malware, etc. but then pay bad actors to log into our systems and give them a master key. Why?!?

The premise is often “Microsoft” or some other well known name has detected an issue with your system. One of the reasons that I have had hopeful scammers use on me was that there was a DNS issue on my computer that they needed to fix. They only wanted $320 (or something close to that) to log in and repair the damages. With the experience that I have, I give them a fun run around. I was surprised to learn that my wife was doing the same thing when they would call her. The best part is that she would play the dumb wife card while doing it. I wish I could do that… We would run them all over the place as they tried to walk us to where we would allow remote access only to have my wife or I tell them that we were not running Windows. My wife would claim we run CentOS, or I would pick an obscure OS of the day. Sometimes it was FORTH, other days it might be FORTRAN, perhaps it was Pascal. I would call them back and burn as much time as I could so that they could not hound on someone less skilled. I have been told that I was no longer allowed to call them. That was fun.

Bottom line, these people are trying to take multiple swings at you. The first swing is to get you to pay them for their “service” then later they would access your system and get whatever information that they could to attempt access to your bank, or other services. They could also install any number of malware packages to your machine to make it a willing slave to their needs at any time of the day.

Do not…. ever grant remote access to your machine unless you are the one initiating it, or if you are working with a known entity such as your employer’s helpdesk.