Confirming something that many of us already suspected, Twitter has revealed in its most recent SEC filing that almost 9% of all Twitter accounts aren’t used by actual humans. Given the social media’s 271 million accounts, that’s nearly 23 million Tweeters posting content at the behest of some form of automation or algorithm.
Common sense tells us that a long, complex password is inherently better than short, simple password primarily because it makes it harder for humans to guess what it might be based upon what they know about the user. However, when computers can brute-force a solution to even the most complex passwords within minutes, a lot of people are starting to question why they bother at all. That’s ever more so the case in light of a recent discovery that Russian hackers have amassed nearly 1.2 billion unique compromised credentials in a series of hacks targeting nearly half a million websites. Investigation into some of the hacked sites has revealed that though you may have put some effort into creating a complex password, the website you created it for didn’t invest nearly as much effort in keeping it safe. In some cases, the passwords stolen were originally stored “in the clear”, ie. not encrypted.
What this means for you:
Sadly, the industry as a whole is still scrambling to come up with a solution to the failure of passwords as a security mechanism. So far, the best some sites can offer is 2 or 3-factor authentication, and as can be surmised from the lackluster adoption of this form of protection, most people will opt for the simpler, less secure method when they aren’t required to do otherwise. As for what to do about the above? Go out there and change your passwords on all your important accounts, and enable 2-factor where available, especially on your critical business services like email, banking and file-sharing sites. It’s highly likely one of your passwords is part of this huge hacker database, and it could be used against you very soon.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Any day we can take a purveyor of child pornography off the streets is a good day in my book. In this case, we can thank Google for discovering a Texas man sending images of child sex abuse through his Gmail account. As you might have guessed, a search algorithm rather than a human spotted the transgression and sent an alert to the National Center for Missing and Exploited Children, who then tipped off local authorities. According to Google, this is the only criminal activity they actively scan for within Gmail, and the search relies heavily on a large database of known illegal images maintained by NCMEC against which comparisons are made.
What this means for you:
In the case of child pornography, I’d say that just about any method used to catch perpetrators is justified, but as many pundits and security analysts point out, this practice teeters precariously on a knife edge of ethics. Telecommunication service providers like Google are required to inform law enforcement of suspected child abuse whenever it is made aware of such activity within its systems, but that word “aware” is ill-defined in today’s age of artificial intelligence, big data analysis and search algorithms. Does a search algorithm matching mathematical hashes on images constitute “awareness”? Should this same algorithm be used to look for other serious crimes? What about petty crimes? Does talking about a crime constitute the commission of a crime? What happens if someone hacks your account and sends out a bunch of disgusting images in an attempt to get you arrested? All the more reason to keep your passwords strong, unique and very, very safe. Oh, and don’t use email to commit or plan out crimes, because even though Google says they are only watching for child pornography, you can bet other agencies are looking at everything. Heck, maybe you should just not commit crimes at all, mmkay?
When it first occurred, connecting things to the internet seemed more like a gimmick than anything practical. Remember that fridge that was supposed to know when you need to buy more milk and would email you a reminder? Even though that particular concept still hasn’t really caught on (though it should!) plenty of other things in our houses and workplaces are connected to the web, to the point where we don’t even consider it gimmicky anymore. Cars that can be started via an iPhone app? Sure! Security cameras that text you when they detect motion? Why not? How about thermostats and lighting that can be adjusted via wifi? Done! Except for a “little” problem: this growing “internet of things” is just as bad (if not worse) at security as the rest of the internet. A security study by technology giant HP took a look at the 10 most popular internet-enabled devices and discovered each device had at least 25 security vulnerabilities that could lead to terrible things.
What this means for you:
Most of my clients have a healthy respect (if not fear) of the internet and its tireless ability to invade your privacy, and typically make more informed choices than the general public, but as more and more devices come “connected” right out of the box, it’s easy to fall into the convenience trap of plugging the thing in and moving on to the next item on the to-do list. What this will eventually mean is people are surrounding themselves with devices that, taken as a whole, can provide an incredible amount of detail about their supposed “private” life. And those devices are all connected to the internet. Unless manufacturers starting upping their security standards (or the market forces them to), we may all find ourselves living a rather exposed existence. So the next time you are considering a device that is “internet” enabled, consider whether or not you are ready (and willing) to understand exactly how that device secures itself from hacking, and whether its worth the convenience.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
Did you know that if you jailbroke your iPhone (or any locked smartphone) without your mobile carrier’s permission anytime between early 2013 and now, you were actually breaking a federal law? That’s right, due to an expired clause in the Digital Millenium Copyright Act, it’s actually illegal to unlock a smartphone you own. This bit of nonsense was courtesy of a Congress that was deadlocked on just about every issue big or small, so it’s no surprise that only just now they are getting around to fixing an issue that both the FCC, Whitehouse and even mobile carriers recognized was just plain wrong.
What this means for you:
The “Unlocking Consumer Choice and Wireless Competition Act” was passed by Congress on July 25 and is now awaiting the President’s signature, but the impending law seems like a token gesture in response to what is now more of a symbolic stance from a vocal minority of smartphone users. In the intervening 18 months, the mobile marketplace has seen a fierce rise in competition, including some carriers offering to pay off early termination fees to woo customers away from the competition. Most carriers now also offer plans that incorporate no-penalty upgrades to new hardware, another incentive to not bother unlocking phones or switching carriers. And to top it all off, the CDMA/GSM network divide continues to limit your unlocked phone to a single alternative (if you want nation-wide coverage).
The carriers, even though they “allow” you to unlock your phones once your contract has expired, still do not always make the process easy, nor is it always a simple technical process, especially on the Android platform. In the end, if you aren’t already a veteran jailbreaker, you are better off interrogating the salesperson at your local carrier store about upgrade options and no-contract plans rather than worrying about whether you can take your phone over to the other guys.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Normally I don’t blog about rumors, but this one is just too good to pass up. Leaked screenshots of Windows 9 show what looks like the return of the much missed Start Menu that has been a staple of Windows computing since Windows 95. Do you really need to know anything more about Windows 9? OK, how about the fact that Microsoft seems to be stepping back from their bold push with the Metro interface – you know, the start-up screen with all the tiles that everyone immediately skips past to use the “old-fashioned” desktop interface.
What this means for you:
For the majority of my clients, I’ve been recommending sticking with Windows 7 unless you have an utterly compelling business reason to get a computer with Windows 8. I’ve been using Windows 8 for the better part of a year, daily, and the only way I find it usable is to boot into desktop mode and essentially use it like a Windows 7 computer. And this is from a guy who lives and breathes technology change! Keep in mind that Windows 8 features a lot of under-the-hood changes that considerably improve every aspect of the OS (security, speed, efficiency etc.), however they are all overshadowed by the changes made to the user interface that were too jarring and counter-productive (and under-utilized) for the average business user. And let’s face it, if you work for a large company, your IT department probably just finished upgrading everyone to Windows 7 only a year or two ago, so you are probably only just now getting over the switch from XP to 7. Just like you skipped over Vista, you may want to give Windows 8 a pass and wait until 2015 for Windows 9.
Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
If you had asked me 10 years ago whether something like this would ever happen, I’d have had a good laugh and then asked you to share whatever it was you had been drinking. But here we are, 2014, and strange bedfellows Apple and IBM have announced a “landmark” partnership in pursuit of enterprise business. And just like a Disney fairytale or the famously delicious chocolate-peanut butter confection, it turns out the mis-matched pair were made for each other after all.
Let me ‘splain:
You may have noticed that Apple, despite the proliferation of iOS devices throughout the business world, has, up until now, remained staunchly consumer focused. The primary plank in its branding was to demonstrate just how “not corporate” its devices were. Conversely, can anyone remember a time when IBM was ever viewed as anything but the epitome of big business? You can bet Apple is painfully aware of how much money it’s leaving on the table by not playing in the corporate and enterprise space, and IBM is just as painfully aware of how “not sexy” its current service offerings are. If you’ve ever used enterprise software (SAP, Oracle, Peoplesoft, etc.) then you know just how awful the experience is. Now imagine Apple lending its design sensibilities to a UI that interfaces with IBM’s monstrously powerful back office software – and oh, by the way, you can use it on this shiny iPad? Move over Brangelina, here comes the new “power couple” of the decade!
A new battle front just opened up in the corporate espionage cyberwar. Security firm TrapX has released information on a new attack that appears to be focused on shipping and logistics firms, and is being delivered via hand-held inventory scanners made by a specific manufacturer in China. The wireless devices appear to contain malware that once connected to a company’s corporate network targets enterprise resource planning (ERP) servers and attempts to compromise them through a variety of known weaknesses. If successful it then facilitates the installation of command-and-control malware that provides a backdoor on the compromised server to an unidentified location in China. The manufacturer of the scanners has denied the devices were intentionally shipped with the malware, but their close proximity to the Lanxiang Vocational School (allegedly tied to other infamous hacking incidents) has raised security eyebrows everywhere.
What this means for you:
It’s a safe bet that you probably won’t be directly affected by this particular hacking vector unless you are one of the handful of firms who bought and used the devices before the manufacturer rectified the issue. However, this is just another crack in the dangerously swollen dike that is technology security, and the white hats are rapidly running out of fingers and toes with which to plug the holes. The fact that the Chinese have targeted supply chain technologies means they are fishing for big data to steal, and the amount of money (and power) at stake is enough for the bad guys to continually search out new ways to compromise and breach businesses. They know they have the good guys over a barrel, as we have to continually try to guess where the next mole will pop up in a playing grid with an infinite number of holes. Will we get to a point that we have to run a malware scan on anything with electronics and a means to transmit data? It’s starting to look that way.