Our tinker toy electrical system

Doesn't take much.

James Woolsey, former director of the CIA, reminds us how rickety our electrical grid is.

Some two weeks after Secretary of Defense Leon E. Panetta warned of a potential “cyber-Pearl Harbor” involving a possible attack on the electric grid, Mother Nature took the cue and hit the East Coast with a storm that left millions of us for days without electricity from the grid. 

Some said silent thanks for that old generator they’d thought to stick in the garage. Though it wasn’t a cyberattack, but Mother Nature gave parts of the grid a good lashing anyway. 

On my country road south of Annapolis, two transformers were blown down from their perches on telephone poles, and the leaking oil and surging electricity produced 20-foot flames. In the meantime, our driveway was filled for days with 15 Baltimore Gas and Electric Co. trucks and about 25 electrical workers from Arkansas erecting new poles and replacement transformers. 

And that was just to deal with five days of outage, caused by falling tree branches, for a very small community on one short country road. What would it have taken to deal with damage that was far more extensive across a number of states because it had been planned by a group or nation that wanted, above all, to destroy our society? 

The electric grid is the heart of our ability to function as a society. We have 18 major infrastructures that keep our civilization operating — water, sewage, telecommunications, transportation, etc. All 17 of the others depend in one way or another on electricity. Imagine what it would be like for an electrical outage to last for months or years as a result of a cyber- or terrorist attack instead of merely for days. 

Without electricity, we are not just back in the pre-Web 1970s, we are back in the pre-grid 1870s. Very few of us have enough plow horses or manual water pumps.

As I write some guys are downstairs sanding the family room floor. In preparation I unplugged the computer and peripherals. Then I came upstairs to work. Ah! No wireless! I had to rig everything up in the basement, where for some reason the previous resident installed a phone plug. A minor thing, but a reminder of how much we depend on electrical and other connections.

Don't talk to strangers

If a stranger came up to you on the sidewalk and asked for your Social Security number, you wouldn't give it to him. If a stranger on the sidewalk invited you to go through a door into a building with him, you wouldn't.

So when an email asks for some personal information, or invites you to click to go somewhere else, why would you?

The subject comes up, because a security breach that exposed the email addresses of potentially millions of customers of major U.S. banks, hotels and stores is more likely than traditional scams to ultimately trick people into revealing personal information.

Security experts are alarmed that the breach involved targeted information -- tying individuals to businesses they patronize -- and could make customers more likely to reveal passwords, Social Security numbers and other sensitive data.

Smart Money has some insight.

“Now the bad guys know who you do business with,” says Chester Wisniewski, senior security adviser at online security firm Sophos. “The likely outcome as far as fraud is concerned will be people impersonating the institutions they’ve compromised. If they contact you it will likely come in the form of a phishing attack [an email, or phone call if your number is listed, asking you for more information] or try to lure you online to a malicious link.”

And some advice. Read the whole article, but here is some of it.

When to do nothing: Don’t reply to emails that ask for personal information such as passwords, bank account or credit card details – even if the email mentions Epsilon and tried to scare you by saying your account is compromised. No legitimate company would ask you to do this. If you receive a suspicious phone call from your bank, hang up and call the bank yourself. Don’t let curiosity get the better of you either: don’t open email attachments or follow links by email, Twitter or Facebook, even if they have been “forwarded” to you by a friend.

When to take action: If you already use your email as a password for an online account, change it. If you use your name, or an easy variation of your name as a password like JohnDoe123, change it. But do this on the company’s own website. Never do this if asked to by email.

What to do in the future: Use secondary, less important email addresses when registering online accounts. Keep one for this and others for businesses, friends and family. If a secondary account starts receiving spam, it will be easier to shut it down without too much inconvenience.

Protect yourself at the ATM

From Wired: Authorities in Europe have seized a nice video recorded by a group of carders showing the criminals installing a skimming device and hidden camera at an ATM in the United Kingdom to steal customer PINs.

Filmed from the hidden pinhole camera itself, installed above the ATM, the video shows how easy it is to capture the PINs as customers enter them on the keypad. But a few wily customers, who are wise to the carders’ tricks, manage to thwart their scheme by shielding the keypad as they type in their number.



Some safety tips from The European ATM Security Team:

• Protect your PIN by standing close to the ATM and shielding the keypad with your other hand.
• Check to see if anything looks unusual or suspicious about the ATM. Jiggle the card slot. If there appears to be anything stuck onto the card slot or keypad, don’t use it. Don’t try to remove suspicious devices.
• Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you’re having difficulties, and don’t allow anyone to distract you.

Is someone listening in on your phone?

Phone hacking is likely to be far more widespread than anyone has acknowledged, The Economist reports.

Many corporate telephone systems and answering machines allow for the remote collection of voicemail. Voicemail passwords are often set to match the voicemail extension, or are set to the easy-to-guess codes. And brute-force attacks to reveal a PIN may also be possible in some circumstances.

In America it appears it is trivially easy for anyone who knows a little about phone systems to access someone else's voicemail by "spoofing" the caller ID. From AT&T:

We are aware of companies that offer “spoofing” technology, which enables others to gain unauthorized access to wireless voicemail accounts that are not protected by a password. If you are concerned about unauthorized access to your wireless voicemail account, we recommend you add a password to your voicemail account.

The Economist on how they do it:

You can either call a central number and key in the mobile phone number, or you can tie up the mobile phone on one call while a second call is diverted to voicemail. The four-digit personal identification number (PIN) is then easy to guess, or trick out of the phone companies.

The New York Times reports that often, all it took was a simple four-digit PIN, such as 1111 or 4444, which many users did not bother to change after buying their mobiles. But even if PINs were changed, there is a short list of very frequently used codes which are easy enough to guess. Users prefer numeric passwords such as 1234, 4321, 2345, 3456 (etc), 0000, 1111, 2222 (etc), 369 or 741 (which form vertical lines on a telephone keypad).