Things Matt Wrote

Several years ago, I was a guest on a local radio show where I spoke about Internet-enabled fraud. The final question asked by the show host was, “what are 'three quick things' that someone can do to protect themselves from cybercrime?”. It was such a simple question but it really caught me off guard. How could I hesitate on this? I just spoke about fraud schemes for the past 30 minutes. I was able to quickly name three things so I didn't look like a complete fool but as I looked back, the three tips that I gave weren't the best. It wasn't that I didn't know the answer, in fact, the complete opposite, I knew too much. The struggle was taking a huge volume of information and distilling it down into three bullet points. The quick and immediate “musts” of your topic.

Since that time, whenever I go speak publicly, I always prepare my “three quick things” answer for the given topic. These prepared responses also come in handy during a regular conversation. It's nice to immediately have a coherent response when friends, family, and colleagues ask for your opinion on a topic where you are recognized as being more knowledgeable than others.

Most small businesses, say less than 100 employees, do not have any dedicated employee for IT services, let alone security. Most time it is a collective effort to keep the Internet on and the printers connected. The lucky ones can afford contract services but for most, security is a wing and a prayer.

“What are some things I can do to keep my business secure?” is the most frequent question I get asked by these small business owners.

Three Quick Things:

I was recently involved in a conversation with colleagues where we marveled over the abundance of suitable victims that perpetuate cyber-criminality. Police agencies around the country receive daily calls from people who wish to self-report their technology-enabled victimization. I am cautious to not engage in victim shaming but the majority of these reports leave investigators speechless. Literally, head shaking and speechless.

Our conversation begged the question: Why do we even show up to work anymore? We could be sitting on a sunny beach, drinking pina-colada’s, and running Craigslist frauds from our prepaid cellphones!

The conversation was obviously in jest, but the underlying questions have stuck with me. Internet-facilitated crimes are fairly easy to conduct, remain a relatively low risk, and are very profitable. So what keeps those of us who understand the methods and mechanics of cyber-fraud from committing them ourselves? There are thousands of law enforcement and private security practitioners all around the world that have a deep understanding of how, and why these fraud techniques work. They know the capabilities of law enforcement and are aware of what gets investigated and what does not. And yet, they continue to show up every day to fight the good fight and never engage in any criminality. Even when crime is the easier and much more profitable choice.

Why?

In October of 2020, the Treasury Department issued a warning to domestic financial institutions that facilitating ransom payments on behalf of ransomware victims could be an Office of Foreign Asset Control (OFAC) violation. The warning noted that many ransomware attackers are seated in countries that are on the OFAC sanction list. These countries include North Korea, Russia, Ukraine, Iran, and Syria. Shortly after that warning was issued I published an article titled “Ransom and Rats” where I explained why law enforcement strongly discourages ransom payments. Paying the ransom perpetuates and broadens the crime by rewarding the bad guys for their criminal conduct. I likened the ransomware actors to the rats used by psychologist B.F. Skinner. If every time the rat hits the bar it gets food then it is going to keep hitting the bar. If ransomware actors continue to get paid they are going to keep spreading ransomware!

Of the classical criminological theories that can be applied to cyber-enabled crime, the Rational Choice Theory fits perfectly when applied to ransomware actors. The theory holds that people are free to choose their behavior and makes these choices based on the avoidance of pain and pursuit of pleasure. People choose to commit crime because it is in some way rewarding, either mentally, physically, or financially. Offenders will commit a crime when it is fun, satisfying, easy, and financially rewarding. Crime is discouraged through the fear of punishment. If offenders believe they will be identified, captured, and punished, they are less likely to engage in a given criminal activity. People consider the cost to benefit factors when deciding to commit a crime and act accordingly in their own best interest. They make a rational choice.

This is the basis of the current ransomware epidemic. Ransomware attacks are easy to facilitate, there is a low likelihood of identification or capture, and it is profitable. If you have no moral convictions prohibiting you from engaging in criminal activity there is no reason to not give ransomware a try. It is a rational choice.

Did I mention that ransomware attacks are profitable?

A week ago, Microsoft pushed an update to my Windows machine rendering it unusable. Absolutely corrupted! Look down to the previous post or click HERE to read a bit more about that.

I had been playing around with the Pop!_OS Linux distribution for a while and deciding to make it my my main operating system (or die trying). Here are some thoughts and observations after being 'All in on Pop' for the past week.

Pop!_OS (20.10) as run on a Lenovo Thinkpad X1 Carbon (5th generation).

I once heard someone explain the reason Microsoft does not make the Office suite for Linux is because there would be no reason to use Windows. This is probably more true than Microsoft would like to admit. The most challenging part of switching from Windows to Linux is the translation of office documents, including Word, Excel, and PowerPoint slide shows to a format compatible with an available Linux application. This is especially daunting for those of us who live in the world of government where Word docs and Powerpoint are the common languages. Tell someone at a police department you are sending them a file in Open Document Format and they’ll be lost for three days.

I could have alternatively titled this piece “In with two feet”, or “My hand was played”, or “Windows Sucks so now I'm 100% Linux”.

Microsoft Windows pushed an update to the machine Friday morning that rendered it useless. I'm assuming the service pack was supposed to make the computer run better, maybe more securely, but it just left it with a blank black screen. I spent about four hours doing everything the IT Help Desk experts of the Internet said I should but nothing worked. I could “Cntrl/Alt/Dlt” into the control panel but nothing from there. It wouldn't even boot into safe mode. Seriously dead.

I have a somewhat robust back-up strategy so I had all of my content (almost) saved somewhere else. I lost some text docs I had saved to the desktop and some PDF's I had recently downloaded but nothing irreplaceable. The true loss is the workflow. The software, the utilities, the folder structure, and the working environment you have spent the past three years perfecting. If anyone from Microsoft reads this – Time Machine, please. System restore points are awesome until you can't access them.

We have reached the point where it is unsettling to lose connection to the Internet. It is like the teenage version of FOMO – Fear of Missing Out; But at a more primal level. FOBU – Fear of Being Unconnected. The loss of connectedness to others and the inability to instantly access information is an unfamiliar mental stumbling block that results in an uncomfortable feeling of worry.

We are experiencing a prolonged Internet outage at my workplace. I can do work without the Internet but losing connection to all cloud-based services and network communications is a huge blow to productivity. And working inside the farthest reaches of a concrete block building renders a cellular-connected device no more than a digital photo frame. The downtime has given me a moment to pause and consider our connection to the connection.

This is more of an indictment of modern police investigations. In the past, policing existed completely outside of modern technology, except maybe the automobile and hi-band frequency radio. A police detective would be notified of a crime and then physically go out into the community to learn more information. This involved actual face-to-face conversations with community members. Information databases were paper-based, or a stand-alone computer not connected to any other sources. Investigators were required to visit peoples at their homes, their businesses, their schools, or places of entertainment. Research was done by going to the library or courthouse. Court proceedings were done in a physical courtroom.

Domain registrar and web hosting company GoDaddy recently raised eyebrows and the collective ire of Reddit over an email phishing test they conducted on their employees. The company sent an email to employees promising a cash bonus, in the spirit of Christmas, and to ease the economic burdens they face due to the Covid-19 pandemic. The email included a link to a registration form that collected employee information under the guise of confirming employee status and “ensuring everyone gets the bonus”. Employees who completed of the form didn’t receive a cash bonus but a notice of required security refresher training.

News of the test sent the technology reporter pool into a tissy and brought the collective ire of self-righteous Internet forum warriors. Some of the criticism was pointed and legitimate. Poor topic? Yes. Poor timing? Yes. Entrapment? Maybe. GoDaddy should have recognized the sensitive content and poor timing of its delivery. The betrayal felt by employees is understandable.

Ok, but you still clicked the link. You could have compromised the entire network and therefore the integrity of the company! GoDaddy played dirty pool but so do the bad guys. Do you think a Russian crime group dedicated to compromising the computer network of your company ever has moments of self-reflection where they say “Wow, this is just going too far. We need to let this pass”. Do you think they have an open-door policy or a corporate ethics officer? Hell no they don’t. They are criminals. Betraying your emotions and stealing your candy is their job and they will stop and absolutely nothing to ensure success.

Those involved in the debate fall into two camps….security and non-security.

Bitcoin is surging with the price breaking the $28,000 price point this week. By all accounts, it will continue to rise through the new year. An Internet search yields dozens of explanations for this meteoric price increase but one of them, and probably the true reason, is rarely discussed. The current price of bitcoin is being driven not only by speculation but by crime.

Legitimate investors are purchasing Bitcoin for much the same reason you place your money in any investment instrument. You hope to sell your holdings at a price much higher than you paid for them thereby yielding a profit. Whether corporate stocks, artwork, real estate, or Pokeman cards, you hope to turn your money into more money as the price of the property you hold becomes more valuable over time. Digital currency is no different. People are purchasing bitcoin in the hopes of selling it at a later date for a much higher price than they paid for it.

The steep rise in Bitcoin price over the past few months has drawn the attention of the media. As people learn about the price increase they decide to enter the game and try to ride the rising tide to profitability. As more and more people buy the price continues to rise. As the price rises so does the media attention which brings more people into the game. It is a perfect example of the snowball effect.

But the real question should be, what spurred the initial increase in price from it's 2020 low price of $4900 in March?

In 2016, Dr. Zinaida Benenson of the Friedrich – Alexander University (Bavaria, Germany) conducted a study to measure the rate at which students would click links in messages received from unknown senders. Of course, they clicked links. There is little value in that finding. The true value of the study is the reason why they clicked the links.

Dr. Benenson’s study involved 1700 university students. They were interviewed to learn their self-assessed security awareness and understanding of phishing attacks. 78% of the students expressed an understanding of the dangers of clicking a link received from an unknown sender.

The students were later sent emails and messages through Facebook from sender names they would certainly not known since the accounts were fictitious. The messages referenced a New Year’s Eve party and the link allegedly went to an online photo album of photos taken during the party.