Davey supplies Facebook tips that are so good you’ll want to friend him, plus details of the “virtual kidnapping” threat that could be coming to the UK.
Davey supplies Facebook tips that are so good you’ll want to friend him, plus details of the “virtual kidnapping” threat that could soon hit the UK
Many thanks to my old friend and veteran tech journalist Rupert Goodwins for this useful Facebook tip I’m kicking off with this month: if you start FB with facebook.com/?sk=h_chr, it always shows you the most recent posts first. Far more polite than picking options out of a hidden hat in terms of what you want to see every day – which is how the Facebook UI seems to work.
Talking of Facebook usability tips, here’s another one. Admittedly, it’s an old one, but something that still seems to catch out many otherwise techsavvy folk. If you get a message from someone outside of your social circle, Facebook will chuck it into what it now calls the Message Requests folder. The thing is, Facebook doesn’t bother to tell you it’s done so.
I’m amazed by the number of folk who discover they have a swathe of messages dating back months in there, all unseen. From wherever you are on Facebook, click the messages icon and you’ll get dumped into the Recents folder. The Message Requests folder can be seen sitting to the right of this. Be sure to hit the “See filtered requests” link at the bottom of the list – although much of what’s in here is spam, other stuff gets through as well.
While on the subject of Facebook messages, anyone using the Facebook Messenger app will probably agree that this monstrosity of development idiocy should be renamed Facebook Mess. Not only is this Snapchat wannabe sluggish and bloated, it soaks up resources like SpongeBob without his trousers on.
There’s a better way: Messenger Lite. It isn’t actually a new development, at least for those outside of the UK and US – it’s been available for the best part of a year in markets where low-bandwidth connectivity is the norm. It isn’t available for iOS users as I write, but those running Android should download it from the Play Store and delete Facebook Mess at once.
Slightly more seriously, note that there’s no end-to-end encryption option in Messenger Lite. However, that’s no great loss: anyone who’s serious about messaging security and privacy should surely be using Signal by now.
Those are the why-nots; the “fors” are pretty clear-cut. No bloat, no games, no “chat heads” nonsense, no video chat, no leeching of your smartphone resources, and all in a much smaller package. Indeed, the Lite app only requires a tenth of the storage space of the fully bloated one, and my usage monitoring suggests it demands less of your battery.
If you’re only interested in receiving and sending text messages – what a messaging app should be for, after all – then Lite is for you. Okay, so you can still do the callsover-Wi-Fi thing and send emoticons – if you must – and photos, but without the resource overhead. Oh, and if you’re using the Lite app, to find the Message Requests folder mentioned above, hit the messages icon and then the Profile one from the page that opens. The message requests option is third on the list.
I’m assuming that by now everyone will have poked around the security settings and opted to receive alerts about unrecognised logins (device and browser) that help you to spot an account compromise – and turned on two-factor authentication to help prevent any such compromises in the first place. What you might not have done – especially if you haven’t ventured into those settings for a while – is seen the encrypted notification emails option.
This adds another layer onto the Facebook account security onion by, as you might have guessed, encrypting all notification emails to prevent unauthorised persons from reading them. You’ll need an OpenPGP key to use this, but if you don’t already have one, there are any number of options depending upon your email client of choice.
For example, if you use a browser-based client for Chrome or Firefox then Mailvelope ( mailvelope.com) integrates nicely with Gmail. Even if you don’t want to use the browser extension, installing it to generate your PGP keys is a particularly painless route to success. Once you’ve entered your public PGP key, your account-recovery notification emails will be encrypted, making it rather hard for anyone to scam their way into your Facebook, even if they have compromised your email account.
“Installing Mailvelope to generate your PGP keys is a particularly painless route to success”
A week in the Valley
I recently found myself spending a week in Silicon Valley with Steve Cassidy and a select bunch of analysts and journalists from across the planet.
The occasion was NetEvents Global 2017, where said analysts and journalists come together with vendors in a less formal than usual setting. Sure, the typical round of keynote presentations still take place each morning, but it’s the afternoon roundtable sessions and evening socialising where the real networking is done. Oh, and in the lobbies when you pop out for a bathroom break during a less interesting presentation.
The latter is how I found myself being pulled to one side for a chat with Michael Levin – CEO of the Center For Information Security Awareness (CFISA.org). He also happens to be the former deputy director of the National Cyber Security Division of the US Department of Homeland Security, and before that chief of the US Secret Service Electronic Crimes Task Force in Washington DC. To complete his three-letter agency credentials, he also served time with both the CIA and NSA as the Secret Service intelligence liaison officer.
That he should seek me out as someone who he had to talk to was both concerning and ego-boosting in equal measure. Thankfully, none of my “security research” was on the agenda. Instead, we had a pleasant chat about the state of the threat landscape and, in particular, how it’s shaping up on the social engineering front.
During this conversation I was surprised to learn that one specific threat is on the up in the US, one that we’ve heard little about over here. It serves to remind that maybe we should be taking more care over such things as location tracking, and the nature of our social circles and who we invite into them. And what was this threat? Virtual kidnapping.
The gang behind the scam will do plenty of homework before launching the attack. This will involve getting all the information they can from social media accounts regarding both you and your movements, plus those of your loved ones. Where possible, the threat recon includes compromising the smartphone or laptop of the target. This makes it possible to hack into the GPS on a smartphone, for example.
Once set, the attack is launched with a phone call claiming to have kidnapped your loved one, complete with a woman or child in the background pleading for your help. The “kidnappers” will know the daily routine of the supposed hostage, what they wear (or at least what they have worn in photographs on Facebook or Instagram), and from where they have been taken. They’ll also know the location of the person they’re calling, and use this information to make it seem like they’re watching. All of which is meant to induce panic.
Panic, by definition, sees rational thought left on the shelf, so the gang can demand a ransom to be paid online or at a local Western Union money transfer outlet; and even direct you to it as they know where you are.
According to Michael, the scam is most often operated by Mexican gangs, having started in that location to fleece American tourists of money. It has spread online using social networks to expand the victim pool. Michael says that travelling to either Mexico or Puerto Rico can increase your chances of being exposed to such an attack on returning home.
If you think it all sounds farfetched, think again. It’s amazing how the human psyche responds when caught off-guard and placed under pressure to make quick decisions. One woman is currently on trial in the US charged with “conspiracy to commit wire fraud” and “conspiracy to launder money”, having apparently collected ransoms of more than £20,000 from victims of such a scam. She couldn’t be charged with kidnapping – no-one had actually been kidnapped, after all – but is facing substantial jail time if found guilty. You won’t be surprised to discover that the gang in Mexico she’s said to have been collaborating with isn’t yet in court facing trial.
I mention all this because, despite not being a thing in the UK as far as I’m aware, there should be a “yet” appended to that statement. It’s the reason us security types bang on so much about privacy issues, about understanding the risk of revealing all online to anyone who might be reading, and of including devices such as smartphones in your personal and business security posturing.
And the award goes to...
Before heading off to San Jose, I was asked to be a judge in the cybersecurity categories for NetEvents’ annual “IoT, Cloud & Cybersecurity Innovation Awards” that would be taking place during the event. Bearing in mind that a keyword here was “innovation”, my vote in the “Innovation Leader” category went to the well-established but undeniably innovative Darktrace. A decision I made based upon the company using unsupervised machine-learning methodologies to “shine a secure light” into shadowy parts of a network, revealing threats that were even unknown to it.
It appears I wasn’t alone in this line of thinking: Darktrace picked up the award. And so did my pick for the “Hot Start Up” category. In fairness, I was only able to vote Javelin Networks into a head-to-head that took place before the awards ceremony in an on-stage version of Shark Tank (think Dragon’s Den US-style). What I like about Javelin is that it attacks network intrusion from a very specific angle: that of protecting the Active Directory.
As Steve mentioned in his column last month, Javelin came about after some former
“We should be taking more care over the nature of our social circles and who we invite into them”
OFEK (the Israeli Air Force elite computing unit) and Israeli intelligence corps red team operatives retired from service.
A red team, so-called from “capture the flag” exercises, differs from a standard penetration testing outfit in that it will do all the things an attacker might do to infiltrate a target at any cost; it won’t be limited to uncovering and exploiting vulnerabilities (unpatched systems, for example) and exploiting them to prove they’re not false positives. The red team doesn’t care about uncovering vulnerabilities, just exploiting a network and then accessing and exfiltrating sensitive data as quietly as possible.
The people behind Javelin found that often the route they used to get into a network was by targeting the Active Directory. It’s the approach Javelin takes that interested me most: by employing what is essentially security by obfuscation (smoke and mirrors) but updated for the modern era. Using AI-based methodology, the AD image seen by an attacker not only includes all the real data, but also a bunch of false flags – none of which can be detected as such.
An attacker is revealed by their interactions with these false flags, making reconnaissance and lateral movement all but impossible without detection. Once detected, the attacker is contained, and lateral movement prevented – all in real-time. I say “all but impossible” as nothing can ever be 100% secure, but Javelin has managed to detect 99.34% of attackers on its very first move.
And finally…
When will organisations that really should know better actually start knowing better? I needed to grab a Now TV day pass to watch the Leicester Tigers game against Castres, and found that when creating an account, the password is restricted to letters and numbers only. How stupid is it to restrict the use of special characters, which serve to seriously strengthen account credential posture? Sky TV, which owns Now TV, needs to do far better.