Phishermen’s Friend: AI

The publication of the private data of celebrities should be a good reminder to us of the intentions we all had at the turn of the year. But not that motivated me to write this article, but some phishing mails I probably got from you. Also you are prominent!

Me, prominent? Nobody wants anything from me.

I’m afraid that’s thought too briefly. In almost everything that goes through your mailboxes or Facebook messages, there is also information about others – and if it is only the email address. Many of you readers also look after customers – the protection of this data is not only a matter of decency, but is also vital for business.

Well, then the bad guy just learns the email addresses of the others. What can he do with it?

Well, he can write her up! The email contained names, was it about orders, was an invoice included? All wonderful points of contact for phishing.

Phishing?

Damit ist -sehr verkürzt- das Ausnehmen von Dummen gemeint.

Uh, me? What does he want when he has phished me off?

Always money in the end. And the phisher needs access to the computer or mobile phone. This of course means access via the network (you don’t need a screen).

Sure, to get to my banking app!

That would be an idea – but it’s rather elaborate and leaves too many traces. It is easier to encrypt the hard disk to extort ransom. But it doesn’t have to be this immediate super disaster – it is obvious to spy out the computer for more email addresses and thus new potential victims. You can install a program that writes passwords of keyboard entries. Hijacked computers can also be rented – for money.

Who rents something like this?

If you want to send a lot of new phishing emails (say a few 10000), and want to do so in a way that the traces are not traceable, you need a lot of computers. It’s better not to attack large institutions with your own computer. Or to get bitcoins calculated…Is your computer sometimes so strangely busy when you’re not doing anything?

Hm, I don’t know. What do I have to do in order not to belong to the stupid ones?

Rule 1: Keep all your software up to date! On all computers or mobile phones! Even computers that are supposedly never connected to the Internet, if there is a network cable or a USB port. If the software doesn’t do this update control itself (like modern browsers or MS-Office) – check it daily.

Rule 2: Never click on email attachments unless you know exactly what will happen. It’s best to only open attachments like pictures or PDF’s.

But I’m already doing that!

Very good. Now rule 3: Don’t trust emails from friends per se! Are there any new attachments? Is there a strange link in it? Ask possibly back. And take the questions of your computer seriously (“Should scripts be executed in this Word document?”)!

Isn’t that an exaggeration?

Maybe, but it can save a lot of trouble. In addition, we will see much more really good fake mails in the future.

So fake emails? Who writes them all?

A computer program, probably even on an already hijacked computer. And it will use the latest trick of the programmers: Artificial intelligence.

Boah!

Well, that sounds a little dramatic. Mostly we mean “machine learning” and that is again just well done statistics and mathematics. To do phishing mails is, so to speak, what you can do especially well with AI: You design 10 variants with the help of the additional information and send them to 10000 victims. The variants that work particularly well are then (automatically) further developed (this is the learning effect)…

..and at some point the result is so perfect that they have me.

That’s it. But if your mail program is well maintained and up to date, it will certainly warn you – the good side hopefully knows the tricks too.

Well, then, three rules, that sounds manageable. Now I am sure.

Rule 4: Stay vigilant and disciplined, be honest about your own mistakes. Computers are better reinstalled when something dubious has happened. This works best with a backup, mainly of the data. On a medium that is not always connected.

Oops, you got me 🙁

Rule 5: Don’t get paranoid, we have to continue doing business, and our customers want to use their computers as well. That’s why it helps to invest 15 minutes every month to find out what’s new in data protection and computer security. And make sure that employees have not forgotten these rules again. And to think about the case of the cases…but that requires the GDPR anyway.

There are not only these 5 rules, of course, but they are some of the most important. Sorry if this all comes across as a bit masterly. But we are all require the Internet to work – and its really not so complicated. – Bob

SSL SSL SSL

HTTPS = SSL

SSL or HTTPS is the term used to describe the encrypted transmission of data from the browser to the server. In this way, the data packets run on different computers, from the WLAN router, via our DSL provider, via Internet node points to devices in the data center where the oekobox-online.de server is located, for example.
All these computers can read everything without encryption. It’s not easy for anyone to get to the computers in our data centers, but with WLAN access in the cafe it’s easier.

The basic principle of this encryption is a mathematical procedure in which there are secret and public sequences of numbers. The public ones are managed and issued in the form of certificates (certificates that are formatted in a very specific way).

The secure transmission is triggered by https://-Protokoll in the web address. If everything works out, the locker is closed:

Even more trust of a client can be achieved through extensions, sometimes you even have to go to the notary and introduce yourself. Then there’s the name of the locker:

So what…?

The contents of my shopping cart… well, anyone can see that, right? There are many arguments that every individual communication (here: you with your seller) should remain private. But that makes us a little bit political or philosophical.

Your password, which you also use for bank access, is a more understandable scenario, but in practice it is not that common.

But: the data can also be manipulated during retrieval. Here is an example:

As a customer you can trust your Bio-Shop, click on every link that is offered to you there – or download a file that says “our top products as zip-file! There’s a virus inside that’ll destroy your computer.

So we are all pissed off: you, because you have a virus, and the bio-shop is suspected of having a dirty website – but the virus didn’t come from him at all, but was infiltrated on the way (in the cafe?).

This was just one example of many cases that SSL can help.

Why now?

The “big players” on the Internet have now taken the initiative. Not only that their offers are in principle accessible via SSL, but they also prefer partners whose contents are also offered in encrypted form. These may be links on Facebook, or search results on Google.

Google (the Chrome Browser team) and Mozilla also want to warn about non-SSL sites soon – at first only when transmitting data, but later on also when it comes to the simple retrieval of pages. That is why we should tackle this in the next few months (if it has not yet happened).

I have not driven the topic forward very much in the past with our installations – because a proper implementation of the idea can make work:

SSL is more than just a certificate

The certificate is issued on a domain name. The content of a website, however, often no longer comes from just one domain (I recommend the LightBeam-plugin in Firefox to anyone who wants to know more about it).

The browser only displays a closed (often green) lock if everything on the page is correct, i. e. all displayed (images) and not displayed content (scripts for animations, e. g.) come encrypted from providers with valid certificates.

In practice, this means work – many of them have a lot of content in CMS systems, where there are also many so-called absolute links. Even the web designer has to work carefully. Fortunately, there are tools (e. g. HTTPS Checker) that will help you to find them.

Not all certificates are supported by all end devices or servers (e. g. the shop server) – this should be clarified before the purchase.

The best way to communicate with customers is via SSL – i. e. also all links from mails should point directly to the https-page (as in this mail!) The often used logic to forward http-addresses to https- is not so good – after all this first call can be manipulated, and because this process happens automatically, the visitor has no chance to hear this.

This means that in the end, no one should have a reason to call the http variant. You can also change your Google entry accordingly and set technical tricks like HSTS.

SSL in the shop system

The shop system can always be addressed via https-. To do this, you only have to change the call within the web pages.

In the admin area the links to the website can be added, as well as placeholders, contents etc.

Non-Https references to images in the offer are automatically converted to internal links by the shop system and are thus also available in encrypted form, so there is no further work to be done here.

It will be more difficult for users who have integrated the shop with their own sub-domain (e. g. shop. schoenegge. de). Here, an individual solution must be found.

The new shop under construction will exclusively use SSL-protected content.

SSL is a permanent work – that’s why the item “SSL support” has been on the price list for some time now.