How to Be Invisible

E-MAIL AND THE INTERNET

There is no fog so dense, no night so dark, no gale so strong as that found at Oregon’s Columbia River bar, where more than 2,000 ships have been lost. As the great river meets the ocean, its mighty current collides with ocean swells, earning this patch of water the nickname, “Graveyard of the Pacific.” When a river pilot boards a ship coming in from the Pacific, with the fog rolling and the waves building up, his CYA advice to the captain is:

“I suggest you drop the anchor until conditions improve.”

Like the river pilot at the bar, my advice to you is, “I suggest you not use e-mail or the Internet until security increases.” The ship captains usually ignore the pilot’s advice, and you will probably ignore mine. Nevertheless, if or when disaster strikes you from cyberspace, remember: You’ve been warned!

THE STORY OF PAUL PETERS

MOSMAN NSW, AUSTRALIA. Paul Douglas Peters, a fifty-year-old Australian investment banker, entered the residence of William Pulver, a wealthy CEO in Sydney, Australia. Pulver’s eighteen-year-old daughter Madeleine was home alone. Peters attached a bomb-like device to her neck and warned that it would go off if she moved. He then left a ransom note on a USB digital storage device looped around Madeline’s neck. The note included instructions to e-mail him at dirkstraun1840@gmail.com.

Police searched Peters’s USB device and came up with a name. They also obtained access to his e-mail. He checked his Gmail account three times on that afternoon—first from a library, then twice more from a video store. Surveillance cameras from both places recorded a man matching Peters’s description around that time. In one picture his Range Rover was shown, including the license plate number. The vehicle was registered in Peters’s name.

Peters then took a one-way flight from Sydney to Chicago and flew to Kentucky the next day, where—thanks to his e-mail trail—he was arrested in a joint operation between FBI agents and the NSW police. We can all be happy the man was caught, but we can also extract a few lessons:

IF YOU ARE EVER FORCED TO RUN, FOR ANY REASON

• Never write a secret message using Microsoft Word. The USB drive revealed the ransom note written in Word. It contained metadata about the document’s author, including the name “Paul P.”

• Never use e-mail for a secret message. Each time Peters accessed his account, his location became known.

• Never use a library or a video store to check your e-mail. When Peters did just that, video cameras caught both him and his Range Rover.

• Never use a vehicle registered in your own name.

EVEN A STRONG PASSWORD MAY NOT PROTECT YOU

In the fall of 2011, FBI agents arrested Christopher Chaney, thirty-five, on charges of hacking e-mail accounts of dozens of celebrities, including Scarlett Johansson, Mila Kunis, Christina Aguilera, and Renee Olstead. How did he do it?

It turned out to be the same method used in 2008 by David Kernell, when he obtained access to Sarah Palin’s account by looking up biographical details such as her high school and birth date, then using Yahoo!’s account recovery for forgotten passwords. It seems that Chaney used publicly available sources to find information about the celebrities and used that information to gain access to their Yahoo!, Apple, and Google e-mail accounts.

LESSONS LEARNED

1. If a hacker wishes to get into your e-mail account, your password will not matter to him, he will plan to get around it.

2. First, he will search the Internet for any scrap of information about you.

3. Then he will access your account up to the point of password entry, where he’ll click on “Forgot your password?”

4. Using information he’s previously gathered about you, he’ll go to work by guessing the answers. It may take hours, it may take days, and in some cases it may takes weeks, but that is how Chaney hacked into the e-mail accounts of more than fifty celebrities.

HOW TO PROTECT YOURSELF

If you are allowed to choose your own question, do so, and make it a tough one. Otherwise, use false information (and keep track of it somewhere safe). Were you born in Bemidji, Minnesota? List “Seville, Spain.” Born 1/4/1970? List “4/1/1979”. If the name of your first dog was Spot, list “SwissCheese,” and so on.

E-MAIL IS NEVER SECURE

An e-mail message may linger on backup hard drives for years on end, and then come back to haunt you. (They are increasingly being used in civil and criminal cases.) Teach your children that a silly or profane e-mail in their youth could come back to bite them many years down the line.

Far too many people leave sensitive information sitting in their inbox—a treasure trove for criminals. And unfortunately, sometimes you do have to deal with sensitive information. Maybe you’re submitting a school or job application. Perhaps a friend sent you something confidential. How do you protect these messages?

One option is to use a relatively secure e-mail service, the first feature of which is SSL, or Secure Socket Layers. You can tell a secure site by the first part of its Web address—it starts with “https.” (The “s” at the end stands for “secure.”) This is advertised to create an encrypted pathway between your computer and the e-mail provider’s server. It makes it nearly impossible for hackers to steal messages en route. (I should note that https is available in Gmail and Hotmail but it isn’t necessarily turned on by default.) All online banking services and all payment pages where you enter credit card numbers should start with https.

Another important feature is message encryption. E-mail is typically sent as plain text. If hackers intercept the e-mail, they can read it with no problems. Encrypted e-mail is much harder for hackers to read. In most cases, they won’t be able to decrypt it. Encryption is best when both parties are on the same service. The e-mail you send back and forth stays encrypted the whole way. It is also encrypted on the mail provider’s servers. Even if hackers broke in, the message wouldn’t be readable.

What if you’re sending confidential information to a friend on another service? Some services let you password-protect the e-mail. Only a recipient with the password can open it. That adds another layer of protection against hackers. Of course, secure e-mail only takes you so far. There are other security aspects you need to consider. Here are three of the more important ones.

1. Make sure you have a strong unique password guarding your account. Include upper and lower case letters, a number, and at least one symbol. Otherwise, fancy encryption may be useless.

2. Use extreme care to avoid spyware and keyloggers. These can steal your passwords and send them to hackers, giving them full access to your accounts.

3. What about the recipients? You might send an encrypted message to a friend, but he or she could store it as plain text. If so, all a hacker needs to do is just to break into your friend’s account.

“THIS MESSAGE WILL SELF-DESTRUCT” (TMWSD)

TMWSD is a secure, auto-deleted messaging service. They encrypt your message before they store it. Then, the first time the message is retrieved, they delete the encrypted content. Then, if you wish, you can even add a password. Rather than store your password, they hash it using a heavy-duty hashing utility (bcrypt), and then salt the encryption key with it for even more security. This means that without the password no one other than you and the recipient can decrypt your secret message, not even them.

Go to www.thismessagewillselfdestruct.com and try it out right now.

YOUR INTERNET SERVICE PROVIDER

The moment you sign up for an Internet account, your invisibility begins to fade. At the government’s request, every Internet service provider (ISP) must furnish—with no advance notice to you—the following information about your account:

• The name you gave them, and the address where bills are sent.

• Records of your Internet sessions (including session times and duration).

• Your telephone number or other subscriber account identifying number(s); including any Internet or network addresses assigned to you.

• The source of your payments, including any credit card or bank account numbers.

• The content of and other records relating to your electronic mail messages, including attachments.

Can you get by with a false name, a PO box address, and pay the bills by money order? Yes … but if the government ever decides to go after you, the ISP will be forced to give up the source of your connections—a source that may lead straight to your office or home.

INTERNET DANGERS

As one writer of a well-known magazine wrote:

Web pages contain both excellent information and utter garbage, and it’s up to us to sort it all out. We now face temptations that were unthinkable in times past—addictions to online gambling, to pornography, to finding love in all the wrong places, and an addiction to the Internet itself. Use of the Internet has resulted in runaway children, tragic marital problems, broken homes and ruined lives.

Sadly, my wife and I have seen the bitter consequences of looking for “love in all the wrong places.” For the two families involved, it would have been infinitely better had they never had access to the Internet.

Do I use the Internet? Yes, in this business I must, but make no mistake—you can live without the Internet. Even with it, never forget that the Internet is a mysterious and highly dangerous place, seething with false information, viruses, worms, trojans, spybots, spyware, hijackers, phishers, pornography traps, botnets, and scams.

INTERNET SCAMS

New Internet extortion techniques arise on a daily basis. Here is a typical example, this one aimed at those of you who use a computer at your place of employment.

1. You receive an unsolicited e-mail containing a link to a seemingly innocuous site such as a review of the latest SUVs, or a great place to buy laptops at a discount.

2. When you click on the link, a file transfer from a site in Bulgaria is initiated in the background. Files with child pornography are then secretly downloaded to your computer. (Perhaps the extortionists use a malicious Java application that uses reverse tunneling to bypass your company’s firewall.)

3. Three days later, you receive an e-mail threat. It accuses you of downloading child pornography and directs you how to find these illegal files on your computer. “Either provide a valid credit card (name, expiration date, and billing address) or we will present this evidence to your boss!”

Three out of every twelve employees will actually furnish the credit card details, but only one in twelve will report this threat to his or her employer. Other scams involve opening an attachment instead of clicking on a link. Therefore:

• Never open an incoming attachment unless it is not only from someone you know, but you are either expecting it or there is a valid explanation in the message that accompanies it.

• Never, ever, click on a link that is contained in an unsolicited e-mail from an unknown source.

HOW TO CHECK OUT A DATE OR A MATE

I trust that you, dear reader, are a straight shooter—dependable, devoted, faithful, honorable, loyal, trustworthy, truthful, upright, and kind to children and dogs. But what about that certain other person? What follows are some measures you can take in your defense. Let’s assume the person you wish to check out is a man (such as your daughter’s new love interest), but what follows can also be applied to checking out women.

USE SEARCH ENGINES

You’ll need his full name, approximate age, and city of residence. Start with Google. If you have an e-mail address or a telephone number, try a search on that.

If nothing comes up, might it be he’s using a fake name? Even so, you might catch him. That’s what one woman I know did. She’d met a man online who seemed to be the answer to her dreams. Could he possibly be The One? She cut and pasted one of his e-mails into Google.

Bingo! The same exact words showed up on several Web sites that are dedicated to romance scams.

IF HE SENT YOU A PHOTO, CHECK IT OUT

At the very least, right click on the photo and if a menu comes up, left click on “Properties”. It will tell you the date it was created. If the date is, say, ten years prior to the date you received the picture, you will have what detectives say is a “clue.” In some cases (such as a picture on a Facebook page), the geotag will actually reveal the exact location where the picture was taken.

AVOID FREE DATING SITES

There are predators on paid online dating sites, too, but fewer of them. The best reason to use the paid sites is because everyone on the site had had to use a credit card, and the cards are on file. Read this warning from romancescams.org:

The scammer … uses words we all like to hear to woo our hearts so they can burn our souls. They use psychology to hold you in their spell. Once they have established a relationship then the scamming begins. In all cases the plea for financial assistance is the key to the scam. This can be for assistance in cashing a check that they are unable to cash themselves and also asking for financial assistance to help them out of a difficulty they are having. They have landed in a hotel and now cannot pay the bill so the hotel is holding all their papers so they cannot leave.… They were mugged and are in the hospital and need you to pay their hospital bill as they are being held hostage until it is paid …

BE ESPECIALLY WARY OF RELIGIOUS DATING SITES

The problem here is that you may trust others who contact you, believing them when they tell you they, too, are Adventist, LDS, JW, or “Christian” (whatever that means, these days). The paragraph below is an experience taken from ScamWarners.com:

I went on ChristianMingle for online dating and was scammed. I figured it out after two weeks but not until dishing out $1,500 (which I can’t believe I did) and flying to an airport to meet him and then having to wait for many hours to get a flight home.… When I was sitting in the airport, I received a call on my cell phone from a physician (?) who said this man had been in a car accident in which the vehicles burned but the only item salvaged was a piece of paper with my name on it. That was the trigger that this was a scam … I guess that I thought that a Christian dating site would be safe … I feel violated and ashamed …

Many of the LDS Web sites include excellent advice for Mormon singles who wish to meet other Mormons online. They are told to never give out personal information such as a last name, home/work addresses, phone numbers, or where they bank. They are warned never to believe everything they are told, even if it come from other LDS Web sites. Here is a typical warning:

Ask for references, especially of family, other LDS dating friends, coworkers, or even their bishop. If you telephone one of their references, use a pay phone to avoid problems with caller ID. Never meet alone; always bring a friend. Even for LDS dating, make sure that you meet in a public place during the day, like a mall, park, or restaurant.

The suggestion to “never meet alone” is crucial. Further, follow the advice of Canadian journalist Risha Gotlieg, who writes, “Staying local drastically reduces your chances of being scammed, since most scammers target victims outside their area to avoid being caught or prosecuted.”

THREE BASIC RULES

1. Do not click on any ads you see on a Web site, including this ironic one: “Has your credit card number been stolen on the Internet? Enter it below and click ‘Go’ to find out.”

2. Never enter accurate information into your computer or on a Web site, and especially not for an e-mail account.

3. When you sign up for whatever, use a different name, a different username, and a different password each time. Your address can be 123 Main Street, and your telephone number any area code plus 555-1212. If a Web site doesn’t accept the “555” number (since 555 is invalid), feed them some other number such as that of a library or a cremation service.

MY FAVORITE QUOTE

This one’s from Earl Long, the legendary governor who termed himself the “last of the red hot papas” of Louisiana politics.

Don’t write anything you can phone.

Don’t phone anything you can talk.

Don’t talk anything you can whisper.

Don’t whisper anything you can smile.

Don’t smile anything you can nod.

Don’t nod anything you can wink.

QUESTIONS & ANSWERS

Is it safe to store my credit card numbers on my laptop?

If you keep the number in an encrypted data file with a secure pass phrase of thirty-two alpha/numeric/punctuation mixed characters using TrueCrypt or similar, your credit card numbers should normally be safe. However, what if your laptop is stolen? Or if (unknown to you) there’s a keylogger on your computer?

Personally, I prefer to keep passwords, credit card numbers, SSNs, and other sensitive information elsewhere, rather than on my computer.

Why don’t you discuss anonymous methods of browsing the Internet?

Not only do they make your browsing sessions much slower, there is no real security as far as your identity is concerned. With any sort of legal problem, subpoenas will be served and your identity will be revealed. And not only that. According to a Stanford University study by the Law School’s Center for Internet and Society, as reported by The Washington Post, most “anonymous” third-party Web tracking is not anonymous. There apparently are a number of ways in which a user’s identity “can be associated with data that are supposed to be collected without linking to personally identifiable information.”

Are Web-based accounts more secure than other e-mail accounts?

Web-based e-mail accounts are not more secure but they do hide some important information. They don’t have a service address. If a PI sees tuvxyz@comcast.net, for example, he has a good idea that you probably also have a television or even telephone service with Comcast. That gives him two more organizations within that company to search for a service address. (He can’t do that with AOL, Yahoo!, Inbox, Bigstring, or SOS.net.)

Is there any simple way to remember complicated passwords?

This answer comes from Jon Freeman, the man even computer experts turn to when stumped. (Freeman is the owner of Barcode4.com.)

Using a different password, even just for your e-mail account, is incredibly important. I have heard of many friends and families whose computers were never infected, however their friends and acquaintances starting received phishing scams and other male enhancement ads apparently from them. They call me in a panic but the damage has already been done. “Change your password with your Internet provider right away,” I tell them.

An incredibly simple system I use to make my passwords strong and easy to easily remember is use part of the business name to which they go to. For example, I use the first and last letter of the service’s domain name I’m logging into at the end of my passwords. The start of my password is always uppercase, the middle lower, it contains a number, and is 9 characters long—thus it meets most website password strength requirements. So if your base strong password was “RJK&r2d” and you were logging into “Yahoo.com” you would add the letters “y” and “o.” Your final password could be “yoRJK&r2d”, “yRJK&r2do”, or “RJK&r2dyo” depending on where you decide to put the two letters. This system works very well and ensures I have just “one” password to remember, but a different password for every system. If that system gets compromised hackers will think I’m using a strong password and give up when they try it elsewhere and it doesn’t work.

For the more cautious reader, or if you’re logging in from a public terminal, you can even copy/paste those two letters from the domain name into the password box after you finish typing. This will help to confuse any physical keyboard keystroke logger as they won’t know you’ve added those two letters by mouse movement.