The Fox Report - March 2023 - Silicon Chip Online

Outer Front Cover
Contents
Subscriptions: PE Subscription
Subscriptions
Back Issues: Hare & Forbes Machineryhouse
Publisher's Letter: Important advice
Feature: It’s handover time by Mark Nelson
Feature: The Fox Report by Barry Fox
Feature: Net Work by Alan Winstanley
Project: Capacitor Discharge Welder by PHIL PROSSER
Feature: Mini PIC Training Course – Part 2 by Peter Brunning
Project: Raspberry Pi Pico BackPack by Tim Blythmhman
Project: Semaphore Signal by LES KERR
Feature: AUDIO OUT by Jake Rothman
Feature: Make it with Micromite by Phil Boyce
Feature: Circuit Surgery by Ian Bell
Feature: Max’s Cool Beans by Max the Magnificent
PCB Order Form
Advertising Index

This is only a preview of the March 2023 issue of Practical Electronics.

You can view 0 of the 72 pages in the full issue.

The Fox Report Barry Fox’s technology column Keeping one step ahead of scammers is a full-time task F ew people now fall for the mail shots, flyers or emails that congratulate us on winning or inheriting a fortune, and which costs money or needs bank details to collect. More of us are now wise to the way scammers using VOIP can spoof their calling number to match publicly available official numbers – so that the recipient’s phone shows the scam caller as ‘Bank’, ‘Building Society’ or ‘Credit Card’. One of the cleverer recent tricks is where a random cold caller to your mobile says he (or she) is from your cellphone service provider. While you are taking the call, the scammer uses the service provider’s website to send a ‘lost password’ text message with ‘verification code’ to your mobile ‘to prove it’s a genuine call’. If you then read out the code the scammer can take over your account, using stored credit card details to buy credit for another phone, start a new contract and cause much timeconsuming grief. And, however carefully we protect our own online life, we still remain at risk from others who exercise less care – even large companies with professional IT support. Ally Pally refund Such was the case recently after I had been in email correspondence with the Alexandra Palace charity in North London. Although the reason for the correspondence is interesting, it’s not essential to the scam which followed. Suffice to say that the restored old theatre in the Ally Pally building, under the old studios and transmitter tower which broadcast the UK’s first TV services, had staged a probably excellent part-musical play about Tom, Dick and Harry, the Great Escape tunnels dug out of Stalag Luft III during World War II. I say ‘probably excellent’ because the AP theatre staged the show ‘in the round’, without radio-miking the actors. So, at any given time, the large audience ringed around the stage were hearing direct sound from roughly just a quarter of the cast, with the rest of the sound bouncing unintelligibly off the hard walls, floor and ceiling dome. The AP management thanked me for my detailed acoustic-electronic suggestions, agreed that I was right to say the production should have been radio-miked and said they would be installing the necessary equipment later in the show’s run (but presumably, until then audiences would continue to strain their ears). I reckoned I was entitled to a refund for paying for a largely inaudible event, but management minions just sent me standardform email refusals. So, since as much as anything, I don’t like being fobbed off with semi-automated responses to STOP! Always ask yourself by whom and why you are being asked to click on a link. considered arguments, I pursued – and eventually – got my refund. All was forgotten until, a few months later, I received an email from the Alexandra Palace Finance Department which – as often now happens with business or medical communications – came with a password-protected attachment. As I had no account and no password, I queried the request and got back an assurance that the attachment was safe to read. But I still had no Ally Pally account or password. So, I never read whatever I’d been sent. Have I been scammed? Fast forward a few months and I learned that the correspondence had been a scam. Die-cast enclosures: standard and painted Learn more: hammfg.com/small-case More than 5000 standard stocked enclosure designs uksales<at>hammfg.com • 01256 812812 10 Practical Electronics | March | 2023 I quote AP’s Director of Finance and Resources: ‘My email account was hacked and the email you received from me was malicious and from a hacker. The response you received to your query was from the hacker… I sent out a huge number of responses reassuring people that these were indeed malicious and should be deleted.’ But, I got no such legitimate email. Should I be worried about malware or ransomware? The Director re-assured: ‘We have been advised by our third-party IT team that this was a relatively unsophisticated attack. They got access to my mailbox by me potentially using an unsecure public Wi-Fi… there has been no malware or ransomware detected…we have been advised that any recipient should delete the email and if not already done, passwords changed to prevent any subsequent malicious access attempts.’ (my italics) Passwords A BBC TV ‘expert’ recently gave similar general blanket change-password advice in response to a viewer’s unrelated question. Setting up new email passwords is not a trivial matter; it means that all user’s devices must be changed to the new password (phone, laptop, desktop, tablet). In the case of Google GMail the address is tied to a wide range of services which must all be reset to the new password. But what does changing passwords achieve if a hacker has simply stolen email addresses from a third party’s address list? The hacker has stolen the email address, not the password, because email passwords do not travel with email addresses. A colleague of mine surmises that, ‘it’s not at all unlikely that your email password is already out there in some ‘dark web’ database containing millions of such addresses. As such, it’s of little value to anybody and may well just be being ignored. However, if a bad actor has obtained your email address together with a set of emails containing some interesting financial information, your email password may well have leapt in value and be worth purchasing on the dark web.’ Says Alexandra Palace, presumably on advice from its IT advisers: ‘We have been advised that the approach this attack has taken means that if you have clicked on the link contained within the email and entered your own email address and password (as advised by the hacker) they will have captured both bits of information.’ Most IT-savvy folk will not enter their email address and password if asked to log into a third-party secure online locker. They will recognise that there is no connection between email security and locker security. But someone less familiar with online risks and perhaps in a hurry or worried or both, may well give it a try. In this case, the hacker cleverly created ‘urgency’ by saying the link would expire in two days; and when recipients replied to the scam mail querying sign-in, the scammer replied with reassurance that the email and site were safe. Later, of course, the scam site was blocked with dire public warnings. But blocking can only happen after early accessors have fallen foul; and the scammers have gone on to create fresh traps elsewhere. In my case I gave no information away so felt confident in not changing my email passwords. But I did make the mistake of replying to the original email, thereby unwittingly confirming that my stolen email is ‘live’ and thus worth more for sale. Practical Electronics | March | 2023 Use VPN If you are out and about with a laptop, then linking to a third-party Wi-Fi source without VPN (Virtual Private Network) protection is a really risky. I would hope that an IT specialist company employed by a large organisation would put staff VPN protection in place, or at least forcefully advise staff to use only public Wi-Fi access points with well-known service names, like those ftom O2, Virgin or a national rail line. It’s too easy for a scammer to create a phoney Wi-Fi access point and suck sensitive data out of victims’ mobiles. Says Ally Pally: ‘We think we have now bottomed out the cyber breach and apologise once again for your data being exposed in this way. We have taken steps to raise awareness of this type of attack internally and put in place changes to our IT infrastructure to mitigate this happening again.’ But there will still be countless other employees of countless companies that haven’t even thought about the risks they are running with customers’ data by using unsecured laptops on any available Wi-Fi they find in a coffee shop. Public education on the risks of using public Wi-Fi and practical advice on VPN is pitifully poor. Even the companies selling security solutions aren’t doing it. A self-promoting cybersecurity security company that specialises in VPN recently sent out a press release listing the best ways to avoid the theft of ‘account login credentials, personal information, or bank and credit card information’. I asked why there was no warning on public Wi-Fi and no mention of VPN. I, for one, would have welcomed some expert advice to try, use and pass on. The reply I received hardly inspired confidence. Simply: ‘This is a great tip … so feel free to include.’ JTAG Connector Plugs Directly into PCB!! No Header! No Brainer! Our patented range of Plug-of-Nails™ spring-pin cables plug directly into a tiny footprint of pads and locating holes in your PCB, eliminating the need for a mating header. Save Cost & Space on Every PCB!! Solutions for: PIC . dsPIC . ARM . MSP430 . Atmel . Generic JTAG . Altera Xilinx . BDM . C2000 . SPY-BI-WIRE . SPI / IIC . Altium Mini-HDMI . & More www.PlugOfNails.com Tag-Connector footprints as small as 0.02 sq. inch (0.13 sq cm) 11