Thu, 29 Sep 2016
21st Century Scammers

A computer and network security journalist I often read was in the news last week when his web site was knocked offline by criminals using a "botnet". This was Brian Krebs' web site Krebs on Security (now up and running again).

A botnet ("robot network") is a large collection of compromised computing devices used to overload target computer systems and thus make them inaccessible to everyone i.e. they are unreachable. So many network requests are continually made that the web site cannot cope. These compromised systems could be computers, network routers or, increasingly, so called "internet of things" devices such as security cameras, home monitoring systems, printers, baby monitors and numerous other connected boxes. More and more things are connected which will lead to more and bigger security trouble: even all the way to National Security trouble if people can attack things like the power grid, transport or utilities.

A lot of computers and networking equipment, especially consumer devices, are shipped in a barely secure configuration; many are wide-open to attack. Even for people who know what they are doing, systems can be hard to secure or, in some cases, impossible. Computers are not easy to use and can be baffling and inconsistent. Yes, even Microsoft Windows 10 and Apple Mac OSX; to say nothing of whatever your internet router is running. Most people neither know or care what the "wifi box" runs, and never update it. Often the manufacturer never creates updates anyway, so security bugs sit unfixed. All these things are ripe to be made welcome into someone's botnet No one knows how to fix this mess.

As I read some commentary about the attack on Brian Krebs' web site (a "DDOS", Distributed Denial of Service), I saw a link to another article by Naoki Hiroshima on how he was scammed out of his twitter username. Having a twitter username "@N" made him a constant target for scammers trying to steal it, and eventually they did. They did this by taking over (stealing) his email address. The details are in his post :

How I Lost My $50,000 Twitter Username

One thing that stood out for me after reading his account was his recommendation regarding the use of your own domain for logins e.g. you@yourname.com. This is fine, as long as your domain is secure, because if it isn't and gets stolen, password resets for any of your web site logins are now in the hands of the thief. Using Google GMail or Yahoo Mail email addresses might be better because they are likely to be more secure. Hiroshima's email domain was stolen because the thief swindled his domain management over the telephone; Google or Yahoo would (hopefully) be harder here. They also allow the use of "two factor authentication", using a smartphone based code as well as a password.

So, for standard email messaging, no problem. But account logins? Perhaps worth reconsideration.