One of my favorite bits of advice regarding suspicious emails is to encourage the recipient to pick up the phone and call the company that supposedly sent the email to see if it’s legitimate. Unfortunately that advice isn’t as valuable as it once was. Cybercriminals have broadened their repetoire to include fake customer support numbers for popular internet services, such as Netflix. This particular scam relies on a very common advertising vehicle wherein companies can buy ads that look very much like the top search result in both Google and Bing searches. Potential victims, using a search engine to find the customer support number for Netflix are shown ads with fake customer support numbers, and many searchers mistake the ad for the legitimate search result. The phone call to the phoney help desk quick escalates into the customers computer being “infected” with fake viruses, and soon followed by demands for cash to clean up the compromised computer.
What this means for you:
The internet veterans among you know how to tell the advertisements from the actual search results on Google and Bing, but there are just as many who do not realize there is a difference. This particular scam counts on it, on top of victimizing people who are already in some form of technology distress. If you count yourself among the search-engine savvy, make sure you educate those close to you on how to separate the ads from the search results, as well as showing them how to find the right support phone numbers for important services they use. This may be particularly useful to aging family members who are targeted specifically because of their neophyte technology tendencies and trusting nature towards phone technicians who sound like they know what they are doing.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In December 2013, French security hacker Eloi Vanderbeken uncovered what appeared to be a backdoor programmed into several models of DSL routers. The affected devices were built around hardware manufactured by Taiwanese company SerComm and the finished products came from several well known brands like NetGear, Linksys and Belkin, to name a few. This backdoor allowed anyone with knowledge of the hole and local access to the router (say through a nearby Wi-fi access point) to gain administrative access to the router and could lead to a complete takeover of the network controlled by the device. Now, several months later, this backdoor is not only NOT fixed, but appears to have been purposefully concealed behind the digital equivalent of a secret knock, which once given, opens the backdoor right up to the same level of exploitation as discovered in December.
What this means for you:
If you own a DSL router, you should check this list to see if your model appears on it. If it does, I recommend replacing it immediately. Even if it does not, you should check to see if your router is among the many models that are compromised in other significant ways. If you happen to be among the fortunate that uses a router not on any of these lists, you should still review the security settings and passwords used by the device, and if you don’t know how to program or even access your router, you need to get someone who does to review the device for you. The router is the front door to your home or business network, and you should not trust your security to something that can be easily broken down or opened with a readily available master key.
Image courtesy of creativedoxfoto / FreeDigitalPhotos.net
Security researchers have discovered that certain models of iOS devices that have been “jailbroken” are now being targeted in a malware attack, dubbed “unflod”, that can collect the AppleID account login and password used on that device and transmit it to hacker-controlled servers. While jailbreaking iPhones or iPads isn’t likely to be something the majority of iOS device-users will do (primarily because it voids your warranty), a significant percentage of users (2% in early 2013, or nearly 7 million devices) regularly jailbreak their devices. Even if the actual count of phones vulnerable to this threat is somewhere less than 7 million, it’s still a big enough target for identity thieves.
What this means for you:
If your iOS device isn’t jailbroken, you don’t have to worry about the unflod malware attack. If you have an iPhone 5s, iPad Air, or iPad Mini 2G, you don’t have to worry about this particular attack either, even if the device is jailbroken, as the malware currently in use doesn’t work on 64-bit operating systems, of which the aforementioned devices use. The unflod malware appears to be caught through application of certain system tweaks that can only be applied to jailbroken, 32-bit OS devices, and only then if the tweaks are sideloaded outside of Apple’s own official app store, or Cydia, the “unofficial official” app store for jailbroken devices. In other words, if most of the words in the article don’t make sense to you, you probably won’t be affected by this malware.
HOWEVER, if you’ve ever considered jailbreaking your iOS device for whatever reason, let the above serve as a cautionary tale: be sure you know what you are doing, back up your important device data, and seriously consider whether you really need a jailbroken iPhone. While the above malware attack requires a specific set of circumstances that only affect a very small percentage of users, jailbreaking a device should only be done by someone willing to take on an increased risk of security breaches and with a full understanding of troubleshooting your own device issues.
Heartbleed continues its rampage across the internet. There are too many stories to tell and too little time. Read on only if you have the stomach for it.
- Networking companies Cisco and Juniper have revealed that several dozen models of their hardware devices are affected by the OpenSSL security flaw known as Heartbleed. To see if any of your networking products made this list, Cisco’s advisory can be found here, and Juniper’s here.
- Two sources close to the NSA allege that the spy agency has exploited Heartbleed since it first appeared over 2 years ago.
- Android smartphones and tablets running version 4.1.1 of the Google operating system are vulnerable to the bug. According to Google, this may affect less than 10% of all Android devices, but given that there are nearly 900 million Android OS devices, that still means millions.
- The vulnerability was used to steal 900 taxpayer ID’s from Canada’s Revenue Agency.
What this means for you:
The security implications of the Heartbleed vulnerability are staggering and very difficult to encompass. Now, more than ever, you must keep a close eye on your digital assets and accounts. Confirm with your financial institutions whether or not they were impacted by the bug (most major, commercial banking institutions did NOT use OpenSSL), and if they were, wait until they confirm that they have fixed it before changing your password. Do NOT use any software or websites confirmed to be affected by Heartbleed until they patch the bug, even to change your password. If you do this while the vulnerability still exists, there is a good possibility that hackers can actually see you changing your password and record the new one. Right now, because of the spotlight on this hole, hackers are racing to exploit the panic and confusion, and you are more likely than ever to be hacked. Wait until your websites confirm they have patched the security hole before using them to change your password.
Keep in mind that many, many organizations are still working through the impact this bug has on their technology, and many are just as confused as you might be. There will continue to be a lot of uncertainty and possible panicky responses from company representatives who are ill-informed on their company’s official stance on Heartbleed. The vulnerability affects a technology that is sophisticated and not easily explained, and not even the most eloquent among technology professionals can convey the problem and solutions in easy-to-understand terms. During these uncertain times, constant vigilance is the only weapon many of us have at the moment, so keep your eyes open and your IT consultant on speed-dial!
Researchers from Google and security firm Codenomicon released details yesterday on a staggering security hole in one of the fundamental security technologies used by hundreds of thousands of websites around the world. Dubbed the “Heartbleed Bug”, this vulnerability is found within a code library called OpenSSL – a tool almost universally used in Linux-based webservers, and it may have been in existence for as long as two years before being discovered this past weekend. In a nutshell, this weakness could theoretically allow a hacker to download critical bits of information that are literally the cryptological “keys to the kingdom” of a server affected by this bug. And unfortunately, there is no way to detect an exploit of this vulnerability, nor to determine what, if anything was stolen in the alleged attack.
What this means for you:
You would encounter OpenSSL through the familiar “HTTPS” protocol websites use to transact business online, and sadly, both small and large companies are affected by this bug. (Full Disclosure: C2’s own website had this bug up until late last night when the server was patched). And by large, I mean websites like Yahoo Mail. Essentially, the weakness could allow hackers to scrape a small segment of active, encrypted server memory and read the contents, which could contain just about anything at the time, up to and including passwords or actual cryptographic keys that can be used to decrypt encrypted data sent by the server itself. Alas, because there is no way to tell when or even if a Heartbleed bug exploit is occurring, there’s no way to tell if anyone, or everyone has been compromised in some form by this hole.
Fortunately, the media seems to be grasping the severity of this problem, and has broadcast this story across every website. Unfortunately, this may prove to be a double-edged sword as both server adminstrators and hackers scramble to get to the unprotected server memory first. For any online service you use that utilizes HTTPS or other forms of encryption, you will want to watch for announcements and news from that service: either acknowledging and fixing the bug, or assuring their customers that they are not affected by this weakness. Either way, it’s always a good idea to never use the same password more than once, and to always keep a close eye on your bank accounts and credit history for unusual activity. If you suspect a website may be unaware of this bug, and potentially at risk, send them an email asking about the Heartbleed Bug to make sure they are on top of this very serious issue.
In case you haven’t heard, about a third of the world’s computers are about lose official support from Microsoft on April 8. Any computer running Windows XP will no longer receive updates or fixes to any vulnerabilities discovered after the cutoff date. Microsoft will continue to provide limited support to its XP-compatible security products, like Security Essentials (their free anti-malware product), but that is set to end sometime in 2015. Most antivirus manufacturers have stated that they will continue to support XP-compatible versions of their apps into 2016, but without core patches to the XP operating system, their efforts will be merely fingers in a deteriorating dike.
What this means for you:
Though you may not know it, your company or the vendors that service you may be heavily reliant on XP. Case in point – one of my clients relies on XP workstations to monitor environmental-control equipment (think air-conditioning and heating) and building automation systems, and some of the computers running these applications haven’t been updated for years, and in some extreme cases, the hardware may be close to a decade old. Hardware failure aside, the lack of support for XP going forward will mean those computers will need to be replaced ASAP, and may be a cost you hadn’t considered in your 2014 or 2015 budget.
Windows XP powered computers are likely to show up in places where they are used regularly, but maybe not by a single individual and are thus overlooked during the part of the regular upgrade process: kiosks (lobby directories, ATMs, silent radios), point-of-sale systems, document scanning stations, etc. Make sure you comb through your organization’s infrastructure for these computers, as they will become vulnerability points for your entire operation and could lead to serious security breaches. Unfortunately, rectifying these obsoleted workstations won’t be cheap nor easy, especially if they power critical systems, but in some cases it may be possible to port XP-only applications to Windows 7 and run them in compatibility mode. Make sure you work closely with vendors who supply this older software to determine what, if any, plans they have to bring their platform to Windows 7, and if they have no plans, it may be time to consider a new vendor or service.
It feels strange to be writing about Microsoft and not mentioning a security loophole or zero-day exploit, but it is the day before April Fool’s after all. Fortunately for the iPad faithful, this isn’t a prank. On March 27, Microsoft launched iPad versions of it’s most used office productivity applications: Word, Excel and PowerPoint, all of them available for free download through the App store. “What’s the catch,” I hear you say? You can use them free, forever, to view documents, but if you want to create or edit documents, you need to have a subscription to Office365.com, the minimum of which is $70/year.
What this means for you:
The lack of any official MS Office software may have been one of the remaining tenuous barriers holding the iPad back from a complete domination of corporate boardrooms. Long a favorite of executives but usually relegated to email-only roles because of this lack, Office for the iPad may allow the C-suite to completely cut the cord on any vestigial Windows laptops they have been “forced” to carry around to do anything other than reading emails. I also know a lot of road warriors who may view the new apps with a mix of joy and trepidation, as it will conceivably allow for more effective work-related use of their iPad on those cramped, coach-fare flights. The excuse of “not being able to edit that Word document during the flight because all I have is my iPad” just won’t cut it anymore.
In all seriousness, this also marks a significant change in vision for Microsoft, a company that up until the new CEO’s arrival, had been a company that always put “Windows first”, even when it may have meant losing marketshare, as it has for so long in the iPad space. It’s still too early to tell whether this change in corporate values will lead to other transformations and products for other platforms (Office for Android anyone?), but this is certainly a step in new direction for the company.
Unless you’ve been living under a rock for the past year, most will leap to the conclusion that I’m writing about the ongoing government snooping that seems to permeate the internet these days. Unfortunately, another of the tech industry’s dirty little secrets is being dragged out into the light of day, and it’s something you’ve probably known all along but didn’t want to acknowledge: Your email is not private. Microsoft recently underlined and highlighted this fact by releasing details on an investigation into an ex-employee’s attempt to sell confidential information. The individual in question was identify primarily through the contents of his Hotmail account, which Microsoft openly admits to reading. While this may seem to be a blatant and gross invasion of privacy (it is), it’s also well within Microsoft’s rights as outlined in the Terms of Service every single customer agrees to when creating and using the free webmail account.
What this means for you:
Before you think this is a Microsoft bashing party, Google and Yahoo have the same sort of Terms of Service, as does just about any other email provider out there. They can read your email any time they want to, and they don’t have to get a search warrant like law enforcement supposedly has to do. They own the equipment, software and data services that deliver your email, and they assert openly in the Terms of Service in one way or another that your email is not yours to keep private. You might also want to review your employer’s information security policy: it’s highly likely that they advise you that any email transmitted through their servers is company property, and is subject to review at any time. This is not something new – policies like this have been around since email first started being used in large organizations that could afford lawyers.
The only way to keep email truly private is to use end-to-end encryption, a process that most people find daunting to establish, and inconvenient to use. Until there is a radical change in how we communicate on the internet, the only way to truly keep things away from prying eyes is to not put them on the internet in the first place.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Microsoft has released a security advisory that warns of a new zero-day weakness that is currently being exploited on the internet. Depending on how you interpret their choice of wording – “targeted attacks” – the scale seems to be relatively limited for the moment, but given that the compromised app is Microsoft Word and is not limited to a specific version, the potential attack surface is huge. And it gets better: the delivery mechanism is a hacked RTF file that once opened can lead to the targeted machine being completely compromised. While RTF files aren’t as widely used as the default “.doc” and “.docx” formats, they are used to export and import documents from Word to other word processing platforms like Wordperfect, LibreOffice, OpenOffice and Apple Pages.
What this means for you:
Microsoft has issued a temporary fix which merely disables the ability for Word to open RTF files, but as of the moment there is no ETA on a patch delivered by Windows Update. We recommend applying this Fix-it if you are at all unsure what an RTF file is, or how to tell the difference from other Word and Email formats.
The most vulnerable user to this exploit is actually someone who uses Word to view formatted emails delivered via Outlook. Normally, Outlook is not set to view emails using Word by default, so if you didn’t set Outlook to do this, you only have to worry about Word. If you did, disable this feature and use Outlook’s built-in email viewer to read formatted emails. For Word users, don’t open RTF files, even if they come from a trusted source, and don’t send any RTF files, as your recipients may be exercising the same level of caution. If you have to exchange data using RTF, make sure you communicate thoroughly with your recipients, and choose another platform other than email to exchange files, primarily so there is no chance they could mistake a trojaned RTF for a legitimate file.
From the moment it was announced, Google Glass has been a favorite target in the growing privacy debate in our always-online and increasingly less-private society. Initially, privacy advocates were worried that Glass wearers could record others without their permission or even awareness. Now, we have to worry about the possibility that the device itself could fall victim to remote access malware, like we recently wrote about here and here. Grad students from Calforina Polytechnic have created a trojan application that purports to be a note-taking application, but instead takes photos without the wearer’s knowledge, recording images every 10 seconds while the device appears to be off, and uploading the photos via Glass’s built-in data connection to a specified destination conceivably anywhere on the internet.
What this means for you:
Before you go running for the pitchforks and torches, the app was created as a proof-of-concept to demonstrate a key weakness in Google Glass’s current operating system. This app’s ability to take pictures while the device reports itself as “off” is a violation of Google’s Terms of Use for the device, but that TOU is completely toothless as the OS in its current state can’t enforce that restriction. Worse still, the app itself actually made it through Google Play’s screening process and was available for a short while on the official app store. It might still be there if not for the students’ professor tweeting about it, and Google consequently pulling it for TOU violations. Google’s position was that this was a desired outcome, and the reason that Glass is still in limited to release to developers and their early-adopter aka beta tester program called Glass Explorers.
I’m fairly certain the students in question weren’t the first to dream up this concept, and you can bet that hackers with much more nefarious intent are impatiently waiting for the inevitable arrival and wide-spread use of wearable technology. The current, laser-hot focus of the privacy debate may be on the NSA and Ed Snowden’s disturbing revelations for the moment, but it seems the government isn’t the only one spying on us. In the words of the sage Walt Kelly (of Pogo comic strip fame), “We have met the enemy, and they are us.“