220 posts categorized "Scams & Threats" Feed

Learn To Spot Employment Scams So You Don't Get Tricked And Lose Money

Many consumers like work-at-home jobs. Fast broadband speeds have made work-at-home jobs attractive for consumers. Scammers and fraudsters find them attractive, too. Work-at-home scams are very profitable for online criminals. CBS News explained how one person lost $35,000 to an employment scam:

"Brad Helding wanted some extra work so he posted his resume on some job sites and soon got an email from a company calling itself Delta Express Couriers. The job? An offer to work from home as a "purchase clerk," buying electronics in large quantities, then shipping them to the company's clients, mostly overseas. The company told him since Montana has no sales tax, they'd save money running the purchases through him. The job paid over $72,000 per year... Helding said he did his research, checking the company's website... The company then sent him $2,000 so he bought iPhones at a Best Buy and shipped them off as instructed. He says for the next batch of purchases, the company told him to temporarily use his own credit card..."

Ultimately, Helding bought and shipped $35,000 worth of equipment. The $2,000 check from the company bounced. A credit card the company later provided was stolen and never valid. Now, Helding owes the $35,000 bill. Plenty of other consumers have been tricked by employment scams:

"He's one of thousands of Americans who fall for employment scams. Employment fraud tops the list of the riskiest scams targeting consumers in 2018, according to a new report by the Better Business Bureau (BBB)..."

Experts advise work-at-home candidates to know the warning signs of job scams, and to thoroughly research the company beyond its web site. Use reputable sources, like the BBB's Search Tool, online company directories (e.g., Dun & Bradstreet, Hoovers, Library of Congress). Visit the websites for the Attorney General (AG), or the Secretary of State (SOS), in the state where you live to further research the company.  In many states, the SOS is responsible for maintaining lists of licensed/registered persons and businesses.

If you don't have internet access, visit your local public library for more business directories. Demand a face-to-face meeting with the hiring manager. Visit the company's office location, if possible. Don't complete any application forms with sensitive personal information (e.g., name, address, Social Security number, tax ID numbers, bank account numbers, etc.) until after you've verified the company is legitimate.

The bounced check Helding experienced reminded me of the check scam, which is popular among criminals. Online criminals are crafty and persistent. Work-at-home candidates need to be crafty and persistent, too.


'Software Pirates' Stole Apple Tech To Distribute Hacked Mobile Apps To Consumers

Prior news reports highlighted the abuse of Apple's corporate digital certificates. Now, we learn that this abuse is more widespread than first thought. CNet reported:

"Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps... The altered versions of Spotify, Angry Birds, Pokemon Go and Minecraft make paid features available for free and remove in-app ads... The pirates appear to have figured out how to use digital certs to get around Apple's carefully policed App Store by saying the apps will be used only by their employees, when they're actually being distributed to everyone."

So, bad actors abuse technology intended for a company's employees to distribute apps directly to consumers. Software pirates, indeed.

To avoid paying for hacked apps, consumers need to shop wisely from trusted sites. A fix is underway. According to CNet:

"Apple will reportedly take steps to fight back by requiring all app makers to use its two-factor authentication protocol from the end of February, so logging into an Apple ID will require a password and code sent to a trusted Apple device."

Let's hope that fix is sufficient.


Welcome To The New, Terrifying World Of Fake Porn. Plenty Of Consequences And Implications

First, I'd  like to thank all of my readers -- existing and new ones. Some have shared insightful comments on blog posts. Second, the last post of 2018 features a topic we will probably hear plenty about during 2019: artificial intelligence (AI) technologies.

To learn more about AI and related issues, watch or read the AI episodes within the CXO Talk site. And, MediaPost discussed the deployment of of AI by retail stores:

"... retailers seem much more bullish on artificial intelligence, with 7% already using some form of AI in digital assistants or chatbots, and most (64%) planning to have implemented AI within the next three years, 21% of those within the next 12 months. The top reason for using AI in retail is personalization (42%), followed by pricing and promotions (31%), landing page optimization (15%) and fraud detection (21%)."

Like any other online (or offline) technology, AI can be used for good and for bad. The good guys and bad actors both have access to AI technologies. MotherBoard reported:

"There’s a video of Gal Gadot having sex with her stepbrother on the internet. But it’s not really Gadot’s body, and it’s barely her own face. It’s an approximation... The video was created with a machine learning algorithm, using easily accessible materials and open-source code that anyone with a working knowledge of deep learning algorithms could put together."

You may remember Gadot from the 2017 film, "Wonder Woman." Other actors have been victims, too. Where do bad actors get tools to make AI-assisted fake porn? The fake porn with Gadot was:

"... allegedly the work of one person—a Redditor who goes by the name 'deepfakes'—not a big special effects studio... deepfakes uses open-source machine learning tools like TensorFlow, which Google makes freely available to researchers, graduate students, and anyone with an interest in machine learning. Like the Adobe tool that can make people say anything, and the Face2Face algorithm that can swap a recorded video with real-time face tracking, this new type of fake porn shows that we're on the verge of living in a world where it's trivially easy to fabricate believable videos of people doing and saying things they never did... the software is based on multiple open-source libraries, like Keras with TensorFlow backend. To compile the celebrities’ faces, deepfakes said he used Google image search, stock photos, and YouTube videos..."

There is also an AI App for fake porn. Yikes! As bad as this seems, it is worse. According to The Washington Post:

"... an anonymous online community of creators has in recent months removed many of the hurdles for interested beginners, crafting how-to guides, offering tips and troubleshooting advice — and fulfilling fake-porn requests on their own. To simplify the task, deepfake creators often compile vast bundles of facial images, called “facesets,” and sex-scene videos of women they call “donor bodies.” Some creators use software to automatically extract a woman’s face from her videos and social-media posts. Others have experimented with voice-cloning software to generate potentially convincing audio..."

This is beyond bad. It is terrifying.

The implications: many. Video, including speeches can easily be faked. Fake porn can be used as a weapon to harass women and/or to discredit accusers of sexual abuse and/or battery. Today's fake porn could be tomorrow's fake videos and fake news to discredit others: politicians, business executives, government officials (e.g., judges, military officers, etc.), individuals in minority groups, or activists. This places a premium upon mainstream news outlets to provide reliable, trustworthy news. This places a premium upon fact-checking sites.

The consequences: several. Social media users must first understand that they have made themselves vulnerable to the threats. Parents have made both themselves and their children vulnerable, too. How? The photographs and videos you've already uploaded to Facebook, Instagram, dating apps, and other social sites are source content for bad actors. So, parents must not only teach teenagers how to read terms-of-condition and privacy polices, but also how to fact-check content to avoid being tricked by fake videos.

This means all online users must become skilled consumers of information and news = read several news sources, verify, and fact check items. Otherwise, you are likely to be fooled... duped into joining or contributing to a bogus cause... tricked into voting for someone you wouldn't. This means social media users must carefully consider your photographs before you post online; and whether the social app or service truly provides effective privacy.

It also means that all social media users should NOT retweet or re-post every sensational item you see in their inboxes without fact-checking it first. Otherwise, you are part of the problem. Be part of the solution.

Video advertisements can easily be faked. So, it is in the interest of consumers, companies, and government agencies to both find solutions and to upgrade online privacy and digital laws -- which seem to constantly lag behind new technologies. There probably needs to be stronger consequences for offenders.

The Brookings Institute advised:

"In order to maximize positive outcomes [from AI], organizations should hire ethicists who work with corporate decision-makers and software developers, have a code of AI ethics that lays out how various issues will be handled, organize an AI review board that regularly addresses corporate ethical questions, have AI audit trails that show how various coding decisions have been made, implement AI training programs so staff operationalizes ethical considerations in their daily work, and provide a means for remediation when AI solutions inflict harm or damages on people or organizations."

These recommendations seems to apply to social media sites, which are high-value targets for bad actors wanting to post fake porn or other fake videos. It raises the question: which social sites have AI ethics policies and/or have hired ethicists and related staff to enforce such policies?

To do nothing seem unwise. Sticking our collective heads in the sane regarding new threats seems unwise, too. What issues concern you about AI-assisted fake porn or fake videos? What solutions do you want?


Dirty Tricks By Some Sellers At Amazon To Eliminate Competitors. Is Its Resolution System The Best Amazon Can Do?

Amazon logo Many consumers like shopping at Amazon.com. What you may not realize are the dirty tricks and scams among some sellers -- the individuals and firms who provide the products you purchase at the site. The Verge reported:

"When you buy something on Amazon, the odds are, you aren’t buying it from Amazon at all... They are largely hidden from customers, but behind any item for sale, there could be dozens of sellers, all competing for your click. This year, Marketplace sales were almost double those of Amazon retail itself, according to Marketplace Pulse, making the seller platform alone the largest e-commerce business in the US... "

Reportedly, there are 6 million sellers in Amazon Marketplace. So, there's plenty of competition. The Verge article described one dirty track where a seller posted posted bogus 5-star reviews on a competitor's page within the site. When the bogus reviews were removed, the targeted seller was accused of falsely manipulating buyers' reviews -- a violation of the site's rules -- and suspended. The Verge described several attacks by scammers. Here's another:

"Scammers have effectively weaponized Amazon’s anti-counterfeiting program. Attacks have become so widespread that they’ve even pulled in the US Patent and Trademark Office... Scammers had begun swapping out the email addresses on their rival’s trademark files, which can be done without a password, and using the new email to register their competitor’s brand with Amazon, gaining control of their listings... Amazon appears not to check whether a listing belongs to a brand already enrolled in brand registry..."

No online shopper wants to buy products from a seller who has fraudulently taken over a valid seller's trademarks.

Punishment is harsh for violators within Amazon Marketplace: suspension, monies frozen, de-listed from the site, and unable to sell products online. If the suspension lasts long enough or if reinstatement doesn't happen fast enough, bankruptcy can result. And all of this happens behind the scenes unbeknownst to customers:

"For sellers, Amazon is a quasi-state. They rely on its infrastructure — its warehouses, shipping network, financial systems, and portal to millions of customers — and pay taxes in the form of fees. They also live in terror of its rules, which often change and are harshly enforced... Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says... Amazon already has something like a judicial system — one that is secretive, volatile, and often terrifying. Amazon’s judgments are so severe that its own rules have become the ultimate weapon in the constant warfare of Marketplace. Sellers devise all manner of intricate schemes to frame their rivals... They impersonate, copy, deceive, threaten, sabotage, and even bribe Amazon employees for information on their competitors."

So, rather than using the established, well-documented public courts and legal system, this happens secretly within a corporation's processes with some unintended consequences:

"... what’s a seller to do when they end up in Amazon court? They can turn to someone like Cynthia Stine, who is part of a growing industry of consultants who help sellers navigate the ruthless world of Marketplace and the byzantine rules by which Amazon governs it. They are like lawyers, only their legal code is the Amazon Terms of Service, their court is a secretive and semi-automated corporate bureaucracy..."

How byzantine? Consider:

"Many sellers can’t even figure out what Amazon is accusing them of. A suspension message will typically list an item along with a broad and tangentially related category of an infraction, like "used sold as new." Understandably, sellers respond by sending invoices that show that the items are, in fact, new. Actually, Stine says, the suspension usually has nothing to do with the item being used, but with something like a peeling label on the box. “The thing Amazon wants you to fix is the buyer perception,” Stine says... JC Hewitt, whose law firm frequently works with Amazon sellers, calls the system’s mandatory guilty pleas, arbitrary verdicts, and obscure language "a Kafkaesque bureaucracy with bad writing." Inscrutable rulings emerge as if from a black box. The Performance team, which handles suspensions, has no phone number; there’s no one to ask for clarification. The only way to interact with them is by filing an appeal, and when it’s rejected, sellers often have no idea why... The secrecy can be so frustrating that sellers have traveled to Seattle or Amazon’s London office to try to find a human, to no avail..."

Huh? What? I'll bet many Amazon customers don't know this. And the system seems to use a poor balance of automation and humans:

"... there were likely humans reading [a seller's] appeal, but they’re part of a highly automated bureaucracy, according to former Amazon employees. An algorithm flags sellers based on a range of metrics — customer complaints, number of returns, certain keywords used in reviews, and other, more mysterious variables — and passes them to Performance workers based in India, Costa Rica, and other locations. These workers choose between several prewritten blurbs to send to sellers. They may see what the actual problem is or the key item missing from an appeal, but they can’t be more specific than the forms allow... The Performance workers’ incentives favor rejection. They must process approximately one claim every four minutes, and reinstating someone who later gets suspended again counts against them..."

Is this the best system possible? Probably not. I hope not. My guess is many Amazon Prime customers would prefer a better system to resolve disputes between sellers. My guess is that most shoppers would want to avoid using sellers who abuse or frame other sellers. And no shoppers want to buy from a seller who has fraudulently taken over another seller's trademarks.

The situation raises several issues:

  • A private court system prevents amazon customers from knowing about and avoiding shopping at sellers who abuse or frame other sellers
  • A private court system prevents external reviews and/or oversight by independent parties
  • An algorithm-based system may save money, but a poor balance of humans and automation causes problems. Is this the best system possible?
  • Amazon determines what's in its customers' best interests (versus disclosure and then feedback from customers)
  • There seem to be few penalties for sellers who frame or setup other sellers. What fix is underway?
  • The current system smells like a bloated monopoly. With some transparency and input, a better system seems possible... preferred.

What are your opinions? What issues do you see? Is a private court system a good thing?


NPR Podcast: 'The Weaponization Of Social Media'

Any technology can be used for good, or for bad. Social media is no exception. A recent data breach study in Australia listed the vulnerabilities of social media. A study in 2016 found, "social media attractive to vulnerable narcissists."

How have social media sites and mobile apps been used as weapons? The podcast below features an interview of P.W. Singer and Emerson Brooking, authors of a new book, "LikeWar: The Weaponization of Social Media." The authors cite real-world examples of how social media sites and mobile apps have been used during conflicts and demonstrations around the globe -- and continue to be used.

A Kirkus book review stated:

"... Singer and Brooking sagely note the intensity of interpersonal squabbling online as a moral equivalent of actual combat, and they also discuss how "humans as a species are uniquely ill-equipped to handle both the instantaneity and the immensity of information that defines the social media age." The United States seems especially ill-suited, since in the Wild West of the internet, our libertarian tendencies have led us to resist what other nations have put in place, including public notices when external disinformation campaigns are uncovered and “legal action to limit the effect of poisonous super-spreaders.” Information literacy, by this account, becomes a “national security imperative,” one in which the U.S. is badly lagging..."

The new book "LikeWar" is available at several online bookstores, including Barnes and Noble, Powell's, and Amazon. Now, watch the podcast:


'Got Another Friend Request From You' Warnings Circulate On Facebook. What's The Deal?

Facebook logo Several people have posted on their Facebook News Feeds messages with warnings, such as:

"Please do not accept any new Friend requests from me"

And:

"Hi … I actually got another friend request from you yesterday … which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears … then hit forward and all the people you want to forward too … I had to do the people individually. Good Luck!"

Maybe, you've seen one of these warnings. Some of my Facebook friends posted these warnings in their News Feed or in private messages via Messenger. What's happening? The fact-checking site Snopes explained:

"This message played on warnings about the phenomenon of Facebook “pirates” engaging in the “cloning” of Facebook accounts, a real (but much over-hyped) process by which scammers target existing Facebook users accounts by setting up new accounts with identical profile pictures and names, then sending out friend requests which appear to originate from those “cloned” users. Once those friend requests are accepted, the scammers can then spread messages which appear to originate from the targeted account, luring that person’s friends into propagating malware, falling for phishing schemes, or disclosing personal information that can be used for identity theft."

Hacked Versus Cloned Accounts

While everyone wants to warn their friends, it is important to do your homework first. Many Facebook users have confused "hacked" versus "cloned" accounts. A hack is when another person has stolen your password and used it to sign into your account to post fraudulent messages -- pretending to be you.

Snopes described above what a "cloned" account is... basically a second, unauthorized account. Sadly, there are plenty of online sources for scammers to obtain stolen photos and information to create cloned accounts. One source is the multitude of massive corporate data breaches: Equifax, Nationwide, Facebook, the RNC, Uber, and others. Another source are Facebook friends with sloppy security settings on their accounts: the "Public" setting is no security. That allows scammers to access your account via your friends' wide-open accounts lacking security.

It is important to know the differences between "hacked" and "cloned" accounts. Snopes advised:

"... there would be no utility to forwarding [the above] warning to any of your Facebook friends unless you had actually received a second friend request from one of them. Moreover, even if this warning were possibly real, the optimal approach would not be for the recipient to forward it willy-nilly to every single contact on their friends list... If you have reason to believe your Facebook account might have been “cloned,” you should try sending separate private messages to a few of your Facebook friends to check whether any of them had indeed recently received a duplicate friend request from you, as well as searching Facebook for accounts with names and profile pictures identical to yours. Should either method turn up a hit, use Facebook’s "report this profile" link to have the unauthorized account deactivated."

Cloned Accounts

If you received a (second) Friend Request from a person who you are already friends with on Facebook, then that suggests a cloned account. (Cloned accounts are not new. It's one of the disadvantages of social media.) Call your friend on the phone or speak with him/her in-person to: a) tell him/her you received a second Friend Request, and b) determine whether or not he/she really sent that second Friend Request. (Yes, online privacy takes some effort.) If he/she didn't send a second Friend Request, then you know what to do: report the unauthorized profile to Facebook, and then delete the second Friend Request. Don't accept it.

If he/she did send a second Friend Request, ask why. (Let's ignore the practice by some teens to set up multiple accounts; one for parents and a second for peers.) I've had friends -- adults -- forget their online passwords, and set up a second Facebook account -- a clumsy, confusing solution. Not everyone has good online skills. Your friend will tell you which account he/she uses and which account he/she wants you to connect to. Then, un-Friend the other account.

Hacked Accounts

All Facebook users should know how to determine if your Facebook account has been hacked. Online privacy takes effort. How to check:

  1. Sign into Facebook
  2. Select "Settings."
  3. Select "Security and Login."
  4. You will see a list of the locations where your account has been accessed. If one or more of the locations weren't you, then it's likely another person has stolen and used your password. Proceed to step #5.
  5. For each location that wasn't you, select "Not You" and then "Secure Account." Follow the online instructions displayed and change your password immediately.

I've performed this check after friends have (erroneously) informed me that my account was hacked. It wasn't.

Facebook Search and Privacy Settings

Those wanting to be proactive can search the Facebook site to find other persons using the same name. Simply, enter your name in the search mechanism. The results page lists other accounts with the same name. If you see another account using your identical profile photo (and/or other identical personal information and photos), then use Facebook's "report this profile" link to report the unauthorized account.

You can go one step further and warn your Facebook friends who have the "Public" security setting on their accounts. They may be unaware of the privacy risks, and once informed may change their security setting to "Friends Only." Hopefully, they will listen.

If they don't listen, you can suggest that he/she at a minimum change other privacy settings. Users control who can see their photos and list of friends on Facebook. To change the privacy setting, navigate to your Friends List page and select the edit icon. Then, select the "Edit Privacy" link. Next, change both privacy settings for, "Who can see your friends?" and "Who can see the people, Pages, and lists you follow?" to "Only Me." As a last resort, you can un-Friend the security neophyte, if he/she refuses to make any changes to their security settings.


New Phone-Based Phishing Scams Can Trick Even Experts. How You Can Avoid Getting Duped

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

  1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
  2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
  3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
  4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
  5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.


Money Transfer Scams Target Both Businesses And Consumers

Money transfer scams, also called wire transfer scams, target both businesses and consumers. The affected firms include both small and large businesses.

Businesses

The Federal Bureau of Investigation (FBI) calls theses scams "Business E-mail Compromise" (BEC), since the fraudsters often target executives within a company with phishing e-mails, designed to trick victims into revealing sensitive bank account and sign-in credentials (e.g., usernames, passwords):

"At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented... Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals."

From January, 2015 to February 2017, there was a 1,300 percent increase in financial losses due to these scams, totaling $3 billion. To trick victims, criminals use a variety of online methods including spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. (If these terms are unfamiliar, then you probably don't know enough to protect yourself.) Malware, or computer viruses, are often embedded in documents attached to e-mail messages -- another reason not to open e-mail attachments from strangers.

Forbes Magazine reported in April:

"Fraudsters target the CEO's and CFO's at various companies and hack their computers. They collect enough information to learn the types of billing the company pays, who the payee's are and the average balances paid. They then spoof a customer or, in other words, take their identity, and bill the company with wire transfer instructions to a scam bank account."

Some criminals are particularly crafty, by pretending to be a valid customer, client or vendor; and use a slightly altered sender's e-mail address hoping the victim won't to notice. This technique is successful more often that you might think. Example: a valid sender's e-mail address might be johnson@XYZcompany.com, while the scammer uses johnson@XYZcompamy.com. Did you spot the alteration? If you didn't, then you've just wired money directly to the criminal's offshore account instead of to a valid customer, client, or vendor.

Scammers can obtain executives' e-mail addresses and information from unprotected pages on social networking sites and/or data breaches. So, the data breaches at Under Armour, Equifax, Fresenius, Uber, the Chicago Board of Elections, Yahoo, Nationwide, Verizon, and others could have easily provided criminals with plenty of stolen personal data to do plenty of damage; impersonating coworkers, business associates, and/or coworkers. Much of the stolen information is resold by criminals to other criminals. Trading stolen data is what many cyber criminals do.

There are several things executives can do to protect themselves and their business' money. Learn to recognize money transfer scams and phishing e-mails. Often, bogus e-mails or text messages contain spelling errors (e.g., in the message body) and/or contain a request to wire immediately an unusually large amount of money. Most importantly, the FBI recommends:

"The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone."

That means don't rely upon text messages either.

Consumers

Wiring money is like sending cash. To avoid losing money, it is important for consumers to learn to recognize money transfer scams, too. There are several versions, according to the U.S. Federal Trade Commission (FTC):

"1. You just won a prize but you have to pay fees to get the prize
2. You need to pay for something you just bought online before they send it
3. A friend is in trouble and needs your help
4. You got a check for too much money and you need to send back the extra"

Regular readers of this blog are already familiar with #4 -- also called "check scams." Instead of paper checks, scammers have upgraded to prepaid cards and/or wire transfers. The FTC also advises consumers to pause before doing anything, and then:

  • "If the person claims (via e-mail) to need money for an emergency, call them first. Call another family member. Verify first if something truly happened.
  • If the check received is too much money, call your bank before you deposit the check.  Ask your bank what they think about wiring money back to someone.
  • If the e-mail or phone caller says you received an inheritance or prize, "you do not have to pay for a prize. Ever.  Did they say you have an inheritance? Talk to someone you trust. What does that person think?"

If you have already sent money to a scammer, it's gone and you probably won't get it back. So, file a complaint with the FTC. Chances are the scammer will contact you again, since they (or their associates) were successful already. Don't give them any more money.


FBI Warns Sophisticated Malware Targets Wireless Routers In Homes And Small Businesses

The U.S. Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) warning consumers and small businesses that "foreign cyber actors" have targeted their wireless routers. The May 25th PSA explained the threat:

"The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic... The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer... VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks."

The "VPN" acronym usually refers to a Virtual Private Network. Why use the VPNfilter name for a sophisticated computer virus? Wired magazine explained:

"... the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities."

The FBI's PSA advised users to, a) reboot (e.g., turn off and then back on) their routers; b) disable remote management features which attackers could take over to gain access; and c) update their routers with the latest software and security patches. For routers purchased independently, security experts advise consumers to contact the router manufacturer's tech support or customer service site.

For routers leased or purchased from an internet service providers (ISP), consumers should contact their ISP's customer service or technical department for software updates and security patches. Example: the Verizon FiOS forums site section lists the brands and models affected by the VPNfilter malware, since several manufacturers produce routers for the Verizon FiOS service.

It is critical for consumers to heed this PSA. The New York Times reported:

"An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the [VPNfilter] malware... A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week. That group, which is also known as A.P.T. 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency... To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s “command-and-control infrastructure.” Now that the domain is under F.B.I. control, any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device..."

Readers wanting technical details about VPNfilter, should read the Talos Intelligence blog post.

When consumers contact their ISP about router software updates, it is wise to also inquire about security patches for the Krack malware, which the bad actors have used recently. Example: the Verizon site also provides information about the Krack malware.

The latest threat provides several strong reminders:

  1. The conveniences of wireless internet connectivity which consumers demand and enjoy, also benefits the bad guys,
  2. The bad guys are persistent and will continue to target internet-connected devices with weak or no protection, including devices consumers fail to protect,
  3. Wireless benefits come with a responsibility for consumers to shop wisely for internet-connected devices featuring easy, continual software updates and security patches. Otherwise, that shiny new device you recently purchased is nothing more than an expensive "brick," and
  4. Manufacturers have a responsibility to provide consumers with easy, continual software updates and security patches for the internet-connected devices they sell.

What are your opinions of the VPNfilter malware? What has been your experience with securing your wireless home router?


Medicare Scams Still Operate. How To Avoid Getting Your Identity Information Stolen

To minimize fraud, the new Medicare cards display a unique 11-digit identification number instead of patients' Social Security numbers. However, scammers have created a new tactic to trick patients into revealing their sensitive Medicare information. The Oregon Department of Justice warned:

"If someone calls and asks you for your personal information, money to activate the new card, or threatens to cancel your Medicare benefits if you don’t share your personal information, just hang up! It is a scam," said Attorney General Ellen Rosenblum.

Medicare will not call you nor ask for your Social Security number or bank information. That's good advice for patients nationwide. Experts estimate that Medicare loses about $60 billion yearly to con artists via a variety of scams.

Oregon residents suspecting healthcare fraud or wanting to report scammers, should contact Oregon's Department of Justice’s Consumer Protection (hotline: 1-877-877-9392 or www.oregonconsumer.gov). Consumers in other states should contact their state's attorney general, and/or report suspected fraud directly to Medicare.

The video below from 2017 includes advice about how patients should protect their Medicare cards.


News Media Alliance Challenges Tech Companies To 'Accept Accountability' And Responsibility For Filtering News In Their Platforms

Last week, David Chavern, the President and CEO of News Media Alliance (NMA), testified before the House Judiciary Committee. The NMA is a nonprofit trade association representing over 2,000 news organizations across the United States. Mr. Chavern's testimony focused upon the problem of fake news, often aided by social networking platform.

His comments first described current conditions:

"... Quality journalism is essential to a healthy and functioning democracy -- and my members are united in their desire to fight for its future.

Too often in today’s information-driven environment, news is included in the broad term "digital content." It’s actually much more important than that. While some low-quality entertainment or posts by friends can be disappointing, inaccurate information about world events can be immediately destructive. Civil society depends upon the availability of real, accurate news.

The internet represents an extraordinary opportunity for broader understanding and education. We have never been more interconnected or had easier and quicker means of communication. However, as currently structured, the digital ecosystem gives tremendous viewpoint control and economic power to a very small number of companies – the tech platforms that distribute online content. That control and power must come with new responsibilities... Historically, newspapers controlled the distribution of their product; the news. They invested in the journalism required to deliver it, and then printed it in a form that could be handed directly to readers. No other party decided who got access to the information, or on what terms. The distribution of online news is now dominated by the major technology platforms. They decide what news is delivered and to whom – and they control the economics of digital news..."

Last month, a survey found that roughly two-thirds of U.S. adults (68%) use Facebook.com, and about three-quarters of those use the social networking site daily. In 2016, a survey found that 62 percent of adults in the United States get their news from social networking sites. The corresponding statistic in 2012 was 49 percent. That 2016 survey also found that fewer social media users get their news from other platforms: local television (46 percent), cable TV (31 percent), nightly network TV (30 percent), news websites/apps (28 percent), radio (25 percent), and print newspapers (20 percent).

Mr. Chavern then described the problems with two specific tech companies:

"The First Amendment prohibits the government from regulating the press. But it doesn’t prevent Facebook and Google from acting as de facto regulators of the news business.

Neither Google nor Facebook are – or have ever been – "neutral pipes." To the contrary, their businesses depend upon their ability to make nuanced decisions through sophisticated algorithms about how and when content is delivered to users. The term “algorithm” makes these decisions seem scientific and neutral. The fact is that, while their decision processes may be highly-automated, both companies make extensive editorial judgments about accuracy, relevance, newsworthiness and many other criteria.

The business models of Facebook and Google are complex and varied. However, we do know that they are both immense advertising platforms that sell people’s time and attention. Their "secret algorithms" are used to cultivate that time and attention. We have seen many examples of the types of content favored by these systems – namely, click-bait and anything that can generate outrage, disgust and passion. Their systems also favor giving users information like that which they previously consumed, thereby generating intense filter bubbles and undermining common understandings of issues and challenges.

All of these things are antithetical to a healthy news business – and a healthy democracy..."

Earlier this month, Apple Computer and Facebook executives exchanged criticisms about each other's business models and privacy. Mr. Chavern's testimony before Congress also described more problems and threats:

"Good journalism is factual, verified and takes into account multiple points of view. It can take a lot of time and investment. Most particularly, it requires someone to take responsibility for what is published. Whether or not one agrees with a particular piece of journalism, my members put their names on their product and stand behind it. Readers know where to send complaints. The same cannot be said of the sea of bad information that is delivered by the platforms in paid priority over my members’ quality information. The major platforms’ control over distribution also threatens the quality of news for another reason: it results in the “commoditization” of news. Many news publishers have spent decades – often more than a century – establishing their brands. Readers know the brands that they can trust — publishers whose reporting demonstrates the principles of verification, accuracy and fidelity to facts. The major platforms, however, work hard to erase these distinctions. Publishers are forced to squeeze their content into uniform, homogeneous formats. The result is that every digital publication starts to look the same. This is reinforced by things like the Google News Carousel, which encourages users to flick back and forth through articles on the same topic without ever noticing the publisher. This erosion of news publishers’ brands has played no small part in the rise of "fake news." When hard news sources and tabloids all look the same, how is a customer supposed to tell the difference? The bottom line is that while Facebook and Google claim that they do not want to be "arbiters of truth," they are continually making huge decisions on how and to whom news content is delivered. These decisions too often favor free and commoditized junk over quality journalism. The platforms created by both companies could be wonderful means for distributing important and high-quality information about the world. But, for that to happen, they must accept accountability for the power they have and the ultimate impacts their decisions have on our economic, social and political systems..."

Download Mr. Chavern's complete testimony. Industry watchers argue that recent changes by Facebook have hurt local news organizations. MediaPost reported:

"When Facebook changed its algorithm earlier this year to focus on “meaningful” interactions, publishers across the board were hit hard. However, local news seemed particularly vulnerable to the alterations. To assuage this issue, the company announced that it would prioritize news related to local towns and metro areas where a user resided... To determine how positively that tweak affected local news outlets, the Tow Center measured interactions for posts from publications coming from 13 metro areas... The survey found that 11 out of those 13 have consistently seen a drop in traffic between January 1 and April 1 of 2018, allowing the results to show how outlets are faring nine weeks after the algorithm change. According to the Tow Center study, three outlets saw interactions on their pages decrease by a dramatic 50%. These include The Dallas Morning News, The Denver Post, and The San Francisco Chronicle. The Atlanta Journal-Constitution saw interactions drop by 46%."

So, huge problems persist.

Early in my business career, I had the opportunity to develop and market an online service using content from Dow Jones News/Retrieval. That experience taught me that the news - hard news - included who, where, when, and what happened. Everything else is either opinion, commentary, analysis, an advertisement, or fiction. And, it is critical to know the differences and/or learn to spot each type. Otherwise, you are likely to be misled, misinformed, or fooled.


Many People Are Concerned About Facebook. Any Other Tech Companies Pose Privacy Threats?

The massive data breach involving Facebook and Cambridge Analytica focused attention and privacy concerns on the social networking giant. Reports about extensive tracking of users and non-users, testimony by its CEO before the U.S. Congress, and online tools allegedly allowing advertisers to violate federal housing laws have also focused attention on Facebook.

Are there any other tech or advertising companies which consumers should have privacy concerns about?  What other companies collect massive amounts of information about consumers? It seems wise to look beyond Facebook in to avoid missing significant threats.

Google logo To answer these questions, the Wall Street Journal compared Facebook and Google:

"... Alphabet Inc.’s Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps... It’s likely that Google has shadow profiles on at least as many people as Facebook does, says Chandler Givens, chief executive of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting. Yet, like Facebook, it continues to gather your data... Google Analytics is far and away the web’s most dominant analytics platform. Used on the sites of about half of the biggest companies in the U.S., it has a total reach of 30 million to 50 million sites. Google Analytics tracks you whether or not you are logged in... Google uses, among other things, our browsing and search history, apps we’ve installed, demographics such as age and gender and, from its own analytics and other sources, where we’ve shopped in the real world. Google says it doesn’t use information from “sensitive categories” such as race, religion, sexual orientation or health..."

There's plenty more, so read the entire WSJ article. A good review worthy of further discussion.

However, more companies pose privacy threats. Equifax, one of three major credit reporting agencies, easily makes my list. Its massive data breach affected half the population in the USA, plus persons worldwide. An investigation discovered several data security failures at Equifax.

Also on my list would be the U.S. Federal Communications Commission (FCC). Using some  "light touch" legal ju-jitsu and vague promises of enabling infrastructure investments, the Republican-majority Commissioners and Trump appointee Ajit Pai at the FCC revoked broadband privacy protections for consumers last year... and punted broadband oversight responsibility to the U.S. Federal Trade Commission (FTC). This allowed corporate internet service providers (ISPs) to freely track and collect sensitive data about internet users without requiring notices nor opt-out mechanisms.

Uber logo Uber also makes my list, given its massive data breach affecting 57 million persons. Earlier this month, the FTC announced a revised settlement agreement where Uber:

"... failed to disclose a significant breach of consumer data that occurred in 2016 -- in the midst of the FTC’s investigation that led to the August 2017 settlement announcement... the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information... In announcing the original proposed settlement with Uber in August 2017, the FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on a third-party cloud provider’s servers.

In the revised complaint, the FTC alleges that Uber learned in November 2016 that intruders had again accessed consumer data the company stored on its third-party cloud provider’s servers by using an access key an Uber engineer had posted on a code-sharing website... the intruders used the access key to download from Uber’s cloud storage unencrypted files that contained more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders... Uber paid the intruders $100,000 through its third-party “bug bounty” program and failed to disclose the breach to consumers or the Commission until November 2017... the new provisions in the revised proposed order include requirements for Uber to submit to the Commission all the reports from the required third-party audits of Uber’s privacy program rather than only the initial such report..."

Yes, Wells Fargo bank makes my list, too. This blog post explains why. Who is on your list of the biggest privacy threats to consumers?


New Technologies Will Soon Make It More Difficult For Consumers To Spot Fake News

We've all heard the old saying: seeing is believing. Right? Not necessarily anymore.

New technologies  will soon make it very easy for bad actors to manipulate videos of people -- politicians, law enforcement officials, celebrities, or anyone -- to say things they never said. This will cause many problems, one of which will be the increasing difficulty, or impossibility, for consumers to spoke fake news. CBS News explained:

"It starts with a selfie. Using that simple image, Hao Li, CEO of Los Angeles-based Pinscreen, can manipulate someone's face. You can literally put words in someone else's mouth. Li said it's all part of building a new virtual chat room world, but this type of advanced artificial intelligence technology is raising real eyebrows... For example, someone could take an image of President Trump and make him say something he didn't really say. Li said these kind of things are already possible in some ways. Comedian Jordan Peele used lip sync technology in a public service announcement (PSA) out Tuesday, warning against the dangers of fake news..."

Below is the PSA by Peele, which has already gotten more than 2.3 million views:

This is more confirmation that artificial intelligence is ripe for misuse by bad actors. The CBS News report also described some of the efforts by software developers to quickly create tools to spot manipulated images and video. Here's why:

"... at Pinscreen, Li said it won't take long before the line between what's real or not is erased. "It might be a year actually." "

Watch the entire CBS News report. These new image/video detection tools can't come soon enough. Consumers will need them. Journalists, military, intelligence, government watch-dog agencies, and corporate executives will need them, too. One can easily imagine bad actors using A.I. and other new technologies to create fake endorsements by celebrities of products, services, and/or politicians they really didn't endorse. What are your opinions?


2017 FTC Complaints Report: Debt Collection Tops The List. Older Consumers Better At Spotting Scams

Earlier this month,, the U.S. Federal Trade Commission (FTC) released its annual report of complaints submitted by consumers in the United States. The report is helpful is understand the most frequent types of scams and reports consumers experienced.

The latest report, titled 2017 Consumer Sentinel Network Data Book, includes complaints from 2.68 million consumers, a decrease from 2.98 million in 2016. However, consumers reported losing a total of $905 million to fraud in 2017, which is $63 million more than in 2016. The most frequent complaints were about debt collection (23 percent), identity theft (14 percent), and imposter scams (13 percent). The top 20 complaint categories:

Rank Category # Of
Reports
% Of
Reports
1 Debt Collection 608,535 22.74%
2 Identity Theft 371,061 13.87%
3 Imposter Scams 347,829 13.00%
4 Telephone & Mobile Services 149,578 5.59%
5 Banks & Lenders 149,316 5.58%
6 Prizes, Sweepstakes & Lotteries 142,870 5.34%
7 Shop-at-Home & Catalog Sales 126,387 4.72%
8 Credit Bureaus, Information
Furnishers & Report Users
107,473 4.02%
9 Auto Related 86,289 3.23%
10 Television and Electronic Media 47,456 1.77%
11 Credit Cards 45,428 1.70%
12 Internet Services 45,093 1.69%
13 Foreign Money Offers &
Counterfeit Check Scams
31,980 1.20%
14 Health Care 27,660 1.03%
15 Travel, Vacations &
Timeshare Plans
22,264 0.83%
16 Business & Job Opportunities 19,082 0.71%
17 Advance Payments for
Credit Services
17,762 0.66%
18 Investment Related 15,079 0.56%
19 Computer Equipment
& Software
9,762 0.36%
20 Mortgage Foreclosure Relief
& Debt Management
8,973 0.34%

While the median loss for all fraud reports in 2017 was $429, consumers reported larger losses in certain types of scams: travel, vacations and timeshare plans ($1,710); mortgage foreclosure relief and debt management ($1,200); and business/job opportunities ($1,063).

The telephone was the most frequently-reported method (70 percent) scammers used to contact consumers, and  wire transfers was the most frequently-reported payment method for fraud ($333 million in losses reported). Also:

"The states with the highest per capita rates of fraud reports in 2017 were Florida, Georgia, Nevada, Delaware, and Michigan. For identity theft, the top states in 2017 were Michigan, Florida, California, Maryland, and Nevada."

What's new in this report is that it details financial losses by age group. The FTC report concluded:

"Consumers in their twenties reported losing money to fraud more often than those over age 70. For example, among people aged 20-29 who reported fraud, 40 percent indicated they lost money. In comparison, just 18 percent of those 70 and older who reported fraud indicated they lost any money. However, when these older adults did report losing money to a scammer, the median amount lost was greater. The median reported loss for people age 80 and older was $1,092 compared to $400 for those aged 20-29."

Detailed information supporting this conclusion:

2017 FTC Consumer Sentinel complaints report. Reports and losses by age group. Click to view larger image

2017 FTC Consumer Sentinel complaints report. Median losses by age group. Click to view larger image

The second chart is key. Twice as many younger consumers (40 percent, ages 20 - 29) reported fraud losses compared to 18 percent of consumers ages 70 and older. At the same time, those older consumers lost more money. So, older consumers were more skilled at spotting scams and few fell victim to scams. It seems both groups could learn from each other.

CBS News interviewed a millennial who fell victim to a mystery-shopper scam, which seemed to be a slick version of the old check scam. It seems wise for all consumers, regardless of age, to maintain awareness about the types of scams. Pick a news source or blog you trust. Hopefully, this blog.

Below is a graphic summarizing the 2017 FTC report:

Ftc-complaints-report-2017


Security Experts: Artificial Intelligence Is Ripe For Misuse By Bad Actors

Over the years, bad actors (e.g., criminals, terrorists, rogue states, ethically-challenged business executives) have used a variety of online technologies to remotely hack computers, track users online without consent nor notice, and circumvent privacy settings by consumers on their internet-connected devices. During the past year or two, reports surfaced about bad actors using advertising and social networking technologies to sway public opinion.

Security researchers and experts have warned in a new report that two of the newest technologies can be also be used maliciously:

"Artificial intelligence and machine learning capabilities are growing at an unprecedented rate. These technologies have many widely beneficial applications, ranging from machine translation to medical image analysis... Less attention has historically been paid to the ways in which artificial intelligence can be used maliciously. This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats. We analyze, but do not conclusively resolve, the question of what the long-term equilibrium between attackers and defenders will be. We focus instead on what sorts of attacks we are likely to see soon if adequate defenses are not developed."

Companies currently use or test artificial intelligence (A.I.) to automate mundane tasks, upgrade and improve existing automated processes, and/or personalize employee (and customer) experiences in a variety of applications and business functions, including sales, customer service, and human resources. "Machine learning" refers to the development of digital systems to improve the performance of a task using experience. Both are part of a business trend often referred to as "digital transformation" or the "intelligent workplace." The CXO Talk site, featuring interviews with business leaders and innovators, is a good resource to learn more about A.I. and digital transformation.

A survey last year of employees in the USA, France, Germany, and the United Kingdom found that they, "see A.I. as the technology that will cause the most disruption to the workplace." The survey also found: 70 percent of employees surveyed expect A.I. to impact their jobs during the next ten years, half expect impacts within the next three years, and about a third percent see A.I. as a job creator.

This new report was authored by 26 security experts from a variety of educational institutions including American University, Stanford University, Yale University, the University of Cambridge, the University of Oxford, and others. The report cited three general ways bad actors could misuse A.I.:

"1. Expansion of existing threats. The costs of attacks may be lowered by the scalable use of AI systems to complete tasks that would ordinarily require human labor, intelligence and expertise. A natural effect would be to expand the set of actors who can carry out particular attacks, the rate at which they can carry out these attacks, and the set of potential targets.

2. Introduction of new threats. New attacks may arise through the use of AI systems to complete tasks that would be otherwise impractical for humans. In addition, malicious actors may exploit the vulnerabilities of AI systems deployed by defenders.

3. Change to the typical character of threats. We believe there is reason to expect attacks enabled by the growing use of AI to be especially effective, finely targeted, difficult to attribute, and likely to exploit vulnerabilities in AI systems."

So, A.I. could make it easier for the bad guys to automated labor-intensive cyber-attacks such as spear-fishing. The bad guys could also create new cyber-attacks by combining A.I. with speech synthesis. The authors of the report cited examples of more threats:

"The use of AI to automate tasks involved in carrying out attacks with drones and other physical systems (e.g. through the deployment of autonomous weapons systems) may expand the threats associated with these attacks. We also expect novel attacks that subvert cyber-physical systems (e.g. causing autonomous vehicles to crash) or involve physical systems that it would be infeasible to direct remotely (e.g. a swarm of thousands of micro-drones)... The use of AI to automate tasks involved in surveillance (e.g. analyzing mass-collected data), persuasion (e.g. creating targeted propaganda), and deception (e.g. manipulating videos) may expand threats associated with privacy invasion and social manipulation..."

BBC News reported even more possible threats:

"Technologies such as AlphaGo - an AI developed by Google's DeepMind and able to outwit human Go players - could be used by hackers to find patterns in data and new exploits in code. A malicious individual could buy a drone and train it with facial recognition software to target a certain individual. Bots could be automated or "fake" lifelike videos for political manipulation. Hackers could use speech synthesis to impersonate targets."

From all of this, one can conclude that the 2016 elections interference cited by intelligence officials is probably mild compared to what will come: more serious, sophisticated, and numerous attacks. The report included four high-level recommendations:

"1. Policymakers should collaborate closely with technical researchers to investigate, prevent, and mitigate potential malicious uses of AI.

2. Researchers and engineers in artificial intelligence should take the dual-use nature of their work seriously, allowing misuse-related considerations to influence research priorities and norms, and proactively reaching out to relevant actors when harmful applications are foreseeable.

3. Best practices should be identified in research areas with more mature methods for addressing dual-use concerns, such as computer security, and imported where applicable to the case of AI.

4. Actively seek to expand the range of stakeholders and domain experts involved in discussions of these challenges."

Download the 101-page report titled, "The Malicious Use Of Artificial Intelligence: Forecasting, Prevention, And Mitigation" A copy of the report is also available here (Adobe PDF; 1,400 k bytes)here.

To prepare, both corporate and government executives would be wise to both harden their computer networks and (re)train their employees to recognize and guard against cyber attacks. What do you think?


Do Social Media Pose Threats To Democracies?

November 4th cover of The Economist magazine The November 4th issue of The Economist magazine discussed whether social networking sites threaten democracy in the United States and elsewhere. Social media were supposed to better connect us with accurate and reliable information. What we know so far (links added):

"... Facebook acknowledged that before and after last year’s American election, between January 2015 and August this year, 146m users may have seen Russian misinformation on its platform. Google’s YouTube admitted to 1,108 Russian-linked videos and Twitter to 36,746 accounts. Far from bringing enlightenment, social media have been spreading poison. Russia’s trouble-making is only the start. From South Africa to Spain, politics is getting uglier... by spreading untruth and outrage, corroding voters’ judgment and aggravating partisanship, social media erode the conditions..."

You can browse some of the ads Russia bought on Facebook during 2016. (Hopefully, you weren't tricked by any of them.) We also know from this United Press International (UPI) report about social media companies' testimony before Congress:

"Senator Patrick Leahy (D-Vt) said Facebook still has many pages that appear to have been created by the Internet Research Agency, a pro-Kremlin group that bought advertising during the campaign. Senator Al Franken (D-Minn.) said some Russian-backed advertisers even paid for the ads in Russian currency.

"How could you not connect those two dots?" he asked Facebook general council Colin Stretch. "It's a signal we should have been alert to and, in hindsight, one we missed," Stretch answered."

Google logo And during the Congressional testimony:

"Google attorney Richard Salgado said his company's platform is not a newspaper, which has legal responsibilities different from technology platforms. "We are not a newspaper. We are a platform that shares information," he said. "This is a platform from which news can be read from many sources."

Separate from the Congressional testimony, Kent Walker, a Senior Vice President and General Counsel at Google, released a statement which read in part:

"... like other internet platforms, we have found some evidence of efforts to misuse our platforms during the 2016 U.S. election by actors linked to the Internet Research Agency in Russia... We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation... We will be launching several new initiatives to provide more transparency and enhance security, which we also detail in these information sheets: what we found, steps against phishing and hacking, and our work going forward..."

This matters greatly. Why? by The Economist explained that the disinformation distributed via social media and other websites:

"... aggravates the politics of contempt that took hold, in the United States at least, in the 1990s. Because different sides see different facts, they share no empirical basis for reaching a compromise. Because each side hears time and again that the other lot are good for nothing but lying, bad faith and slander, the system has even less room for empathy. Because people are sucked into a maelstrom of pettiness, scandal and outrage, they lose sight of what matters for the society they share. This tends to discredit the compromises and subtleties of liberal democracy, and to boost the politicians who feed off conspiracy and nativism..."

When citizens (via their elected representatives) can't agree nor compromise, then government gridlock results. Nothing gets done. Frustration builds among voters.

What solutions to fix these problems? The Economist article discussed several remedies: better critical-thinking skills by social media users, holding social-media companies accountable, more transparency around ads, better fact checking, anti-trust actions, and/or disallow bots (automated accounts). It will take time for social media users to improve their critical-thinking skills. Considerations about fact checking:

"When Facebook farms out items to independent outfits for fact-checking, the evidence that it moderates behavior is mixed. Moreover, politics is not like other kinds of speech; it is dangerous to ask a handful of big firms to deem what is healthy for society.

Considerations about anti-trust actions:

"Breaking up social-media giants might make sense in antitrust terms, but it would not help with political speech—indeed, by multiplying the number of platforms, it could make the industry harder to manage."

All of the solutions have advantages and disadvantages. It seems the problems will be with us for a long while. Social media has been abused... and will continue to be abused. Comments? What solutions do you think would be best?


Security Experts: Massive Botnet Forming. A 'Botnet Storm' Coming

Online security experts have detected a massive botnet -- a network of zombie robots -- forming. Its operator and purpose are both unknown. Check Point Software Technologies, a cyber security firm, warned in a blog post that its researchers:

"... had discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016... Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.

With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others..."

Reportedly, the botnet has been named either "Reaper" or "IoTroop." The McClatchy news wire reported:

"A Chinese cybersecurity firm, Qihoo 360, says the botnet is swelling by 10,000 devices a day..."

Criminals use malware or computer viruses to add to the botnet weakly protected or insecure Internet-connect devices (commonly referred to as the internet of things, or IoT) in homes and businesses. Then, criminals use botnets to overwhelm a targeted website with page requests. This type of attack, called a Distributed Denial of Service (DDoS), prevents valid users from accessing the targeted site; knocking the site offline. If the attack is large enough, it can disable large portions of the Internet.

A version of the attack could also include a ransom demand, where the criminals will stop the attack only after a large cash payment by the targeted company or website. With multiple sites targeted, either version of cyber attack could have huge, negative impacts upon businesses and users.

How bad was the Mirai botnet? According to the US-CERT unit within the U.S. Department of Homeland Security:

"On September 20, 2016, Brian Krebs’ security blog was targeted by a massive DDoS attack, one of the largest on record... The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices... The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack..."

Wired reported last year that after the attack on Krebs' blog, the Mirai botnet:

"... managed to make much of the internet unavailable for millions of people by overwhelming Dyn, a company that provides a significant portion of the US internet's backbone... Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover..."

The Wired report also explained the difficulty with identifying and cleaning infected devices:

"One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn't noticeably affect their performance. There's no reason the average user would ever think that their webcam—or more likely, a small business's—is potentially part of an active botnet. And even if it were, there's not much they could do about it, having no direct way to interface with the infected product."

It this seems scary, it is. The coming botnet storm has the potential to do lots of damage.

So, a word to the wise. Experts advise consumers to, a) disconnect the device from your network and reboot it before re-connecting it to the internet, b) buy internet-connected devices that support security software updates, c) change the passwords on your devices from the defaults to strong passwords, d) update the operating system (OS) software on your devices with security patches as soon as they are available, e) keep the anti-virus software on your devices current, and f) regularly backup the data on your devices.

US-CERT also advised consumers to:

"Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary. Purchase IoT devices from companies with a reputation for providing secure devices... Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected."


Experts Find Security Flaw In Wireless Encryption Software. Most Mobile Devices At Risk

Researchers have found a new security vulnerability which places most computers, smartphones, and wireless routers at risk. The vulnerability allows hackers to decrypt and eavesdrop on victims' wireless network traffic; plus inject content (e.g., malware) into users' wireless data streams. ZDNet reported yesterday:

"The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network... The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk."

Reportedly, the vulnerability was confirmed on Monday by U.S. Homeland Security's cyber-emergency unit US-CERT, which had warned vendors about two months ago.

What should consumers do? Experts advise consumers to update the software in all mobile devices connected to their home wireless router. Obviously, that means first contacting the maker of your home wireless router, or your Internet Service Provider (ISP), for software patches to fix the security vulnerability.

ZDNet also reported that the security flaw:

"... could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched Internet-of-things (IoT) devices being exposed for use by botnets."

So, plenty of home devices must also be updated. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). One "price" of wireless convenience is the responsibility for consumers and device makers to continually update the security software in internet-connected devices. Nobody wants their home router and devices participating in scammers' and fraudsters' botnets with malicious software.

ZDNet also listed software patches by vendor. And:

"In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer... At the time of writing, neither Toshiba and Samsung responded to our requests for comment..."

Hopefully, all of the Internet-connected devices in your home provide for software updates. If not, then you probably have some choices ahead: whether to keep that device or upgrade to better device for security. Comments?


Report: Patched Macs Still Vulnerable To Firmware Hacks

Apple Inc. logo I've heard numerous times the erroneous assumption by consumers: "Apple-branded devices don't get computer viruses." Well, they do. Ars Technica reported about a particular nasty hack of vulnerabilities in devices' Extensible Firmware Interface (EFI). Never heard of EFI? Well:

"An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. 47 Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version."

This is very bad. EFI hacks are particularly effective and nasty because:

"... they give attackers control that starts with the very first instruction a Mac receives... the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS... That means an attacker who compromises a computer's EFI can bypass higher-level security controls, such as those built into the OS or, assuming one is running for extra protection, a virtual machine hypervisor. An EFI infection is also extremely hard to detect and even harder to remedy, as it can survive even after a hard drive is wiped or replaced and a clean version of the OS is installed."

At-risk EFI versions mean that devices running Windows and Linux operating systems are also vulnerable. Reportedly, the exploit requires plenty of computing and technical expertise, so hackers would probably pursue high-value targets (e.g., journalists, attorneys, government officials, contractors with government clearances) first.

The Duo Labs Report (63 pages, Adobe PDF) lists the specific MacBook, MacBookAir, and MacBookPro models at risk. The researchers shared a draft of the report with Apple before publication. The report's "Mitigation" section provides solutions, including but not limited to:

"Always deploy the full update package as released by Apple, do not remove separate packages from the bundle updater... When possible, deploy Combo OS updates instead of Delta updates... As a general rule of thumb, always run the latest version of macOS..."

Scary, huh? The nature of the attack means that hackers probably can disable the anti-virus software on your device(s), and you probably wouldn't know you've been hacked.


Here Comes The Post-Equifax-Breach Spam From Scammers

If you haven't received them yet, you probably will soon. Here comes the spam - unwanted e-mail messages - from scammers, supposedly related to the massive Equifax data breach. The spam will likely include phishing attacks: attempts to trick consumers into disclosing sensitive bank account and payment data.

What might this spam look like? The spam filter by my e-mail provider recently trapped the message below in my spam folder:

Suspected spam email. Click to view larger version

The sender's intent is to clearly leverage consumers' anxieties and fears about the massive, horrific Equifax breach. The e-mail message also states:

Suspected spam email. Click to view larger version

The message offers both three free credit scores and free credit reports. The problems I see with this e-mail:

  1. The message doesn't list a price for its offer. The company name -- FreeCreditClick -- implies the offer is free.
  2. Key items in the e-mail don't match. The company name in the "From" field doesn't match the e-mail address. Nor does the company name in the "From" field match the company name in the body of the message.
  3. The sender's e-mail address in the "From" field includes a version of an e-mail address I've seen before in other spam.
  4. The Equifax site already directs consumers affected by the data breach to an Equifax site to learn how to get protection (e.g., credit monitoring and fraud resolution services) for free.
  5.  The e-mail offers credit reports from the three major credit reporting agencies: Experian, Equifax, and TransUnion. Informed consumers know that the official website for free credit reports is annualcreditreport.com.
  6. Informed consumers know that while there are several brands of credit scores, they probably need a single good one.
  7. The e-mail contains order and unsubscribe links with destinations that doesn't match either the company's name in "1" nor "2."

To understand #7, I reviewed the underlying HTML markup language used to create this e-mail message:

HTML markup of the suspected spam email. Click to view larger version

The destinations for both the order link (A) and the unsubscribe link (B) contain the "proffbuilder.com" site and embedded redirect commands. The redirect commands could take your web browser anywhere. Too risky, so I did not click on them.

As best I can tell, this definitely is spam. I don't trust it. What do you think?