kw: book reviews, nonfiction, hacking, spies, hackers, cybercrime, deepfakes, home security
A truly successful cybercriminal must have excellent social skills. The popular idea of a "hacker" as a guy in a basement wearing a hoodie and somehow breaking into computer accounts is fiction. The easiest way to get the user credentials needed to get into a computer system is to purchase them on the dark web. The second easiest way is to make a phone call and persuade someone to tell you; that is often easier than you might imagine. But social skills are essential.
As former spy hunter Eric O'Neill tells us in Spies, Lies, and Cybercrime: Cybersecurity Tactics to Outsmart Hackers and Disarm Scammers, the third best way to steal credentials (typically, user name and password) is to exploit weaknesses in an operating system, taking advantage of them before security software is updated to "patch" the weak place. He tells us of one or two such weaknesses, mostly because they don't work well any more. But until a few years ago, forcing a buffer overflow was a common tactic until security programs were re-coded to limit the number of characters entered as a user ID or password.
But here's where things got more scary. HNDL means "harvest now, decrypt later". Getting into a system is one thing; being able to do something useful (to you) with the data files it contains is another. I don't know how many household computers enable encryption of their hard drives; probably very few. But wise business leaders have their IT team encrypt all data. Then someone who breaks in cannot read anything. Crooks have learned to simply copy everything and store it, awaiting the development of more powerful decryption technology, including quantum decryption, that may be able to tackle it in the future. Storage is getting incredibly cheap: hard drives as large as 36 TB are available, and depending on disk capacity, the cost is in the range of $30 to $60 per TB.
The author trains us using two useful mnemonics, one related to intruder techniques, the other to defenses. Firstly, DI²CED (I suppose it is "diced" as in "sliced and diced", a hacker's goal). The keywords are Deception, Impersonation, Infiltration, Confidence, Exploitation, and Destruction. These are like the layers in an onion, each depending on the prior ones. Perhaps that is why a common domain suffix in the dark web is ".onion".
Each chapter ends with a series of tips labeled "Think Like a Spy." This is because cybercriminals, just as confidence actors (con men) of the past, use spycraft techniques. We need to know how a spy thinks to have a chance to avoid the lures and traps that spies use on us. The book is filled with examples, including a near-miss the author experienced and an extended example showing what was needed for a nonprofit corporation he and others worked for/with to recover from a ransomware attack.The defensive mnemonic is PAID: Prepare, Assess, Investigate, and Decide. Making Preparations beforehand, getting policies in place, is like buying fire extinguishers for your home. A fire may never break out, but if one does, the low price you paid for the extinguishers is a tiny fraction of the damage a fire will do if you have to abandon the house to the flames (note: this is my example, drawn from tidbits here and there in the book). If a smoke alarm goes off, or you see a frying pan catch fire, for example, Assessing the threat needs to take place in a few seconds. Having the extinguisher close at hand makes a big difference in how you Assess the threat. Even then, you may determine that the best action is to call 911 and get outside. For a large business that finds it is under attack, Assessing and then Investigating may need to go on for days or even weeks. In a beginning house fire, if you have extinguishers, Investigation consists of knowing where the nearest one is. Decision is then instant: put out the fire you see, then look for possible others (follow-up Investigation). For a business, Investigation may lead to the threat being seen as either greater or less than it first seemed. Plans that were Prepared beforehand lead to better Decisions.
In the case of the nonprofit, the organization was "rescued" by slow internet connections. The ransomware perpetrator claimed to have downloaded 3 TB of sensitive information. During Investigation, the security team, including the author, determined from system logs that the intrusion was limited in time, and at most 1 GB could have been exported. That's 1/3000th of what the criminal claimed—and that's a common tactic. Scare, scare, scare, and try to keep you from getting time to think. Still, a lot of work had to be done to patch up the security software and restore the systems from backups. Then the criminal could be told, "You got nothing. You get nothing. Go away." Most satisfying.
Other examples relate to personal security. Deepfaked voices and videos are becoming more common. I answered a phone call one day, to hear a cheerful voice say, "Hello, Grandpa." I hung up immediately. I don't yet have grandchildren old enough to use a phone. If a call like that occurs in 10-15 years, I'll need a different plan. Here, Preparing means to have a "family pass phrase" or even a "proof of life" exchange, such as the following:
Caller: "Grandpa, I need help."
Me: "Were you caught by the Jabberwock?"
Real grandchild: "No, it was the Bandersnatch."
But a fake grandkid? The caller will simply hang up, and if they don't you hang up on them. The caller is probably some middle-aged guy with an AI generated voice, cloned from the grandchild's social media posts (do I need to remind you that you shouldn't post family videos on Facebook or TikTok or X or ANYWHERE!!?)
Of course, if it really is your grandchild, the Assessment needs to include demanding the location, saying you will do nothing until you get there (you may need weapons; that is a different discussion).
The last ten pages of the book is a collection of lists of "ten tips" on various subjects covered in the text. This alone makes this a good reference book to keep on hand. I know I need to do so. From a first reading, all I can gather is some impressions, and a few tips and techniques like those above. I need to re-read some parts.
I was motivated to revise my scheme for creating passwords. Carrying it out will take a few days; I have a lot of accounts! I don't want to use a biometric passkey because I already know of two men who could probably fool a biometrics face-print; in both cases, the man and I have been mistaken for one another several times. How many others are there? I am not distinctive enough!
Get this book. Read it right through. Then go back more slowly over parts that pertain to your life. Keep it handy as a reference. It's well written, so reading it is pleasurable, if sometimes a bit scary.
Resources cribbed from the Tips section:
- Federal Trade Commission: https://reportfraud.ftc.gov/
- Identity Theft concerns: https://www.identitytheft.gov/
- Author's newsletter: https://ericoneill.net/newsletter/ - free subscription

No comments:
Post a Comment