Customer’s of Comcast’s Xfinity broadband service are slowly coming to discover that their new in-home routers are being used as wi-fi hotspots for any other Comcast customer within range of the router. Comcast introduced the service in mid-2013, but seems to have not taken great pains to ensure that its customers understood exactly what the service was. Many consumers just assumed when Comcast said “hotspot” that it meant they would now have wireless internet in their home. The new routers do provide that feature, but additionally they are also programmed by default with another wi-fi network labeled “xfinitywifi” which can be accessed by any current Comcast account login and password.
What this means for you:
If you are a new Xfinity subscriber, or had your Comcast router replaced in the past 6 months, your new equipment may be providing this hotspot. Anyone with a Comcast account can use your hotspot to access the internet. Keep in mind, this doesn’t require them to actually be the account owner – all any wi-fi device needs is that account’s login and password. Assuming they know it, anyone can use that login information anywhere an Xfinity hotspot exists.
Regardless of how savvy you are with your home equipment, you can’t disable this feature yourself – you have to call Comcast to have them turn it off. According to Comcast, the impact on your bandwidth of providing this hotspot should be minimal, and is helping them provide more accessible wireless bandwidth to other Comcast customers in your neighborhood. The question you need ask yourself is whether you feel its appropriate for Comcast to use equipment in your house as an extension of services provided to people you don’t know.
It’s still too early to tell whether having a hotspot on your home network is inherently less secure, but think of it like this: Imagine your property sat in front of a popular amusement park. The amusement park has asked if they can provide entrance to their park that requires customers to traverse your property via a secured walkway. They promise they will keep your property completely safe, private and separate. Would you allow that walkway?
One of the most effective malware infection vectors in use on the internet is what’s known as the “fake antivirus attack”. Upon visiting a compromised website, even one that is supposedly legitimate like the DailyMotion (not linked for obvious reasons), a pop-up is displayed that warns the user that their computer is infected, and offers to clean up the infection. Clicking on that button typically leads to the actual infection, which usually starts out as an annoying infestation of adware and popups, and will typically escalate into a barrage of more malware, up to the incredibly vicious rootkits and ransomware which will render your computer inoperable, your data irrecoverable and your identity, bank accounts and credit rating at serious risk.
How do you spot the fakes? Unfortunately, it’s becoming increasingly more difficult, as the cybercriminals are now investing more effort into making these counterfeit warnings look like the real thing. In the case of the DailyMotion vector, the pop-ups were designed to look like Microsoft’s own widely-used and competent Security Essentials antivirus software, a product that I install on many of my clients computers. At first glance, the pop-up does a passable rendition of the real software, and someone not paying attention could easily be fooled. If you want to see what this type of pop-up looks like, and the resulting infection, watch this short video produced by Invincea, a security software company based in Fairfax, VA.
What this means for you:
Even hardened internet travelers might be taken in by well-crafted popups, but there are certain ways to tell if it’s a fake:
- Your antivirus software won’t require you to install an EXE to perform the scan. It’s already installed. If it was a legitimate warning, clicking the button would start the scan, and not a download of software. Windows Vista and up will stop and ask permission to run any executable, even ones from legitimate companies, so if you see your OS asking if it’s OK to install this program, stop what you are doing immediately.
- Close your browser and any windows associated with it. Close any open programs. Manually start your installed antimalware software by selecting it from the Start Menu, or from the System Tray in the lower right of your screen. Run a full scan. Even if everything comes up good, remain vigilant!
- Fake pop-ups also come in the “Your software needs to be updated to view this website” variety. The most common variant of this is Adobe Flash. Again, close all windows, manually relaunch a web browser and visit the software manufacturer’s website to find out if an update is available for your software.
Still unsure? Note the website URL that triggered the questionable pop-up, take a screenshot if you can, and call your IT professional for further advice.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
If you thought you were the only one still using Windows XP, you are still in good company despite Microsoft’s widely publicized plan to end official support for the operating system in April of this year. NetMarketShare.com’s January 2014 report on installed desktop operating systems shows that an estimated 30% of the world’s computers are still using Windows XP, an operating system that is now approaching 13 years of age. NetMarketShare bases its statistics from metadata gathered by 40K websites around the world, so its also likely that this percentage may actually be slightly higher, as many XP machines are likely being used in legacy systems that do not require internet access to function.
In case you were wondering what that 30% equates to in actual numbers, there is an estimated 1.5 billion computers in use today. Based upon that number, it’s possible that several hundred million computers may continue to run an OS that will no longer get security updates from Microsoft, a number that has security analysts everywhere hyperventilating. Even though most anti-malware vendors will continue to provide support for XP, it will become increasingly difficult for them to remain effective on an OS for which Microsoft itself is abandoning.
What this means for you:
If you were thinking, “Well, this doesn’t impact me, I’m on Windows 7/8,” think again. Many cyberattacks are driven by zombified PC’s that have been gathered together into “Botnets” that can focus an incredible amount of processing power on anything they are rented to do, including sending out millions of phishing emails, spam and other nefarious activities. In the current state of desktop security, it’s commonly held wisdom that being targeted by a cyberattack is not a question of “if”, but of “when”. Cybercriminals rely on compromised resources to much of their dirty work, and their arsenal could become radically reinforced by the millions of computers still running XP, especially now that it will no longer be patched by Microsoft after April. If you are still operating PC’s with Windows XP, you should seriously consider upgrading those systems to a more modern OS if possible, and if an upgrade isn’t possible, replace them ASAP, as they will become an increasing liability for your organization.
Late last year, the Internet Corporation for Assigned Names and Numbers (ICANN) announced that they were opening up registration for more top level domains on the internet. Starting next week, the familiar “.com”, “.edu” and the other 20 well-known TLD’s maybe joined by as many as 1900 new domains over the course of the next few years. Among the first that will be released for use will be “.book”, “.bike” and “.wed” as well as specific corporate domains for large companies like “.apple”, “.google” and “.ford”.
What this means for you:
If you already work for a company with a well-established and/or well-known domain, your marketing folks (and the lawyers) may explore the new TLD’s primarily to protect the company’s brand from competitors or domain squatters. They should know that as part of the introduction of more TLD’s, ICANN has also introduced a new trademark clearinghouse where infringement challenges can be handled before the legal knives come out. If you are in the process of establishing your online identity and have been under the impression that all the “good” domain names have been taken (for TLD’s like “.com” they have, for the most part), the new TLD’s may present an opportunity for certain businesses and creative marketers.
However some industry analysts are worried that the proliferation of TLD’s may just lead to more confusion and uncertainty on the internet for the majority of users. For example, once “.google” goes live, when I want to search for something, do I go to “google.com” or “search.google” or “www.google” or “google.google”. My guess, at least with Google, all of those will work, but imagine trying to tell your grandmother the difference between them (there might be!) or why there is more than one URL, especially after you finally got her to start using Google in the first place. It’s too soon to say, but given how confusing the internet is now, one thing it’s not likely to simplify will be internet security.
Image courtesy of jscreationzs / FreeDigitalPhotos.net
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
Password manager app maker SplashData released it’s annual report on the worst passwords of the year, and despite all the hype cybercrime is getting even in mainstream media, it seems that many, many people still don’t take passwords seriously. For better or worse, passwords are one of the few security measures we have in technology that stands between us and the cyber outlaws, but passwords like “123456” – the most popular password of 2013 – are the equivalent of painting a big red target on yourself. “123456” unseated the defending, 2-year champ “password” which fell to second place.
What this means for you:
Unless you have a better means of security such as biometric scanners or 2-factor devices, passwords are a fact of digital life, and if you value anything of your digital life, you should use a strong password and not something that is easy to type. It doesn’t matter that you use strong passwords where it matters – security is only as strong as the weakest password, and just like water, hackers will take advantage of any weak spot to flood into your life. If anything, read through this list of bad passwords and use them as a guide of how NOT to secure your technology. Better yet, make sure your favorite password isn’t on that list, because it will only be a matter of time before you find yourself (and possibly others around you) compromised.
Curious about how strong your password is? Be careful of visiting just any “password strength meter” website – double check the domain, and look for someone you trust. Here are two reputable sites. If you’ve been paying attention, you already know to roll-over and check where these links lead before clicking on them:
Microsoft’s Password Strength Checker
Intel’s Password Strength Checker
Password Strength Testing Tool | Bitwarden
How Secure Is My Password? | Password Strength Checker (security.org)
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
“Keep your area clean.” You’ve been hearing it all your life. First, no doubt from your mom or dad, and then from your teachers. You’ve probably heard it throughout your professional career, and possibly offered it as guidance yourself to others. Regardless of how tidy you are in your physical space, I’ve only encountered a lonely few who also keep their digital space clean. Cheap, large hard drives and superfast searching have allowed us to sprawl digitally all over the place, and just like Nature abhors a vacuum, cyberspace will expand to fill all empty gigabytes when you aren’t watching. In one extreme case (that will probably go down in my personal record books!) I encountered a client whose nearly full one-terabyte hard drive (1000 gigabytes) was over half full with junk and temporary files. That’s nearly 500 gigabytes of wasted space! Aside from the lost storage space, there was another, even more critical issue caused by all those useless files.
What this means for you:
Well written and properly configured internet programs, such as web browsers, will regularly keep their areas (browser and history caches) containing those temporary files clean, but sometimes they don’t. In the case of the above client, the 500 gigabytes of junk was created over time by a browser and operating system malfunction, and then exacerbated by a virus infection. The result was tens of millions of small files that the antimalware software had to scan everytime it was checking for viruses. If you thought a regular anti-virus scan was painfully slow, multiply that by 100 and that’s what was happening on the machine in question. As you can imagine, the antimalware software (and the computer in general) just gave up and stopped working properly, leading to further infections and actual damage to the filesystem. How can you avoid this?
- Make sure your web browsers are keeping their caches tidy. Here’s an all-encompassing guide on how to do that.
- Always keep an eye on your available hard drive space. A good rule of thumb is to keep a minimum of 20-30GB free at any given time. If you suddenly start running low, there might be a problem.
- Know the approximate size of your document space and evaulate whether it makes sense for what you do, and what you are required to maintain. Office documents typically aren’t very large on average (thousands of them can easily fit on a 16GB thumb drive), but high-res photos can easily be several hundred megabytes easily. If your document space seems unexpectedly large, you might have a problem.
- Don’t interrupt your anti-malware scans. If they are taking too long, note where it’s getting stuck, pause the scan, clean out the affected area (usually temp files as mentioned above) and see if scan times improve. They should, even if the total space cleared doesn’t seem to be much. Browsers create thousands of tiny temp files everyday, and if they aren’t cleared properly, they add up really fast.
In a worst-case scenario, where millions of files have built up in a temporary folder, removing them could take hours, even days, as was the aforementioned case. Luckily for the client, I didn’t bill straight hourly, otherwise the cure would have been worse than the disease. Savvy technicians will have tools at their disposal to help clean up cluttered and infected drives, but when there are millions of useless files there are only two ways to clean it up – delete those files one at a time (via scripts, of course), or nuke the whole drive from orbit, ie. re-format. There are advantages and disadvantages to both approaches, so make sure you discuss which option makes the most sense for your data and your budget.
Though it sounds crazy to hear it, I’m pretty sure I’m not the only technology professional who wishes computer security was as easy as flipping a switch. Fixing broken technology is a major part of how I make a living, and nothing breaks technology like security breaches. In fact, I don’t want anyone to get infected, hacked or for their data to get corrupted, just like doctors don’t want to see their patients get sick. In keeping with the medical metaphor, there are technology guidelines and practices that can act as preventative medicine for your technology lifestyle. Here are ten suggestions that I hope you will resolve to follow to keep your technology streamlining and not derailing your path to success.
- Put a password or pin on your smartphone. This bears repeating over and over. I know it’s inconvenient, but think of how inconvenient it will be if someone got ahold of your unsecured smartphone and used it to access your private information, or worse, your clients’ information.
- Encrypt your mobile devices and thumb drives. If your device happens to fall into unknown hands, encryption provides a layer of protection that will discourage casual data thieves. In the case of certain smart devices, it may even give you time to remotely wipe and deactivate the device. Certain types of data (especially confidential client or customer information) should always be stored with strong encryption.
- Open attachments and links from emails with extreme caution. The most common vector of infection is via email, either by opening attachments or clicking links to compromised websites. Even if the email comes from someone you know, pay close attention to every aspect of the email for hints that it may be a fake, and if you are at all uncertain, pick up the phone or delete it and ask the sender to resend the email.
- Check your anti-malware software regularly. I know plenty of people who know they have anti-virus installed, but don’t know the name of the product, whether or not it’s up to date, or even if it’s working. Check your antimalware at least once a week to make sure it’s updating and if it’s caught anything recently.
- Don’t allow unsupervised, non-professional use of your computer. Originally, this rule was about keeping work and personal use completely separate, but I realize that is near impossible these days, so I amended it to focus on a potentially dangerous aspect of computing, which is allowing less security-conscious individuals access to the devices you use for business. If you wouldn’t trust this person with your business, don’t grant them unfettered access to your business devices.
- Back up your data. Viruses, thefts and hard drive crashes happen. Like death and taxes, hard drive crashes are inevitable, and it will fail when you can least afford it to fail. Unlike the first two, countering the negative consequences are handled by a simple process.
- Ensure confidential customer/client data is stored securely. If you are in a regulated industry, you are more likely to understand why this is important. But if your business services clients who are part of a regulated industry, you might be held to the same standards of security as your clients. Know what data you are storing, know where you are storing it, and how you are storing it.
- Familiarize yourself with the privacy policies of any social networking platforms you use. Even if you’ve managed to avoid the big names in social media (Facebook, LinkedIn, G+, Twitter, etc.), any community you participate in that has a digital component should have a clearly stated privacy policy that governs how your personal information will be used by that organization or platform. Don’t be surprised if you’ve inadvertently relinquished much more control and/or privacy than planned over information and the content you author on that platform.
- Make sure you have a proper firewall anywhere you use the internet. For the moment, you should consider the internet a wonderful AND dangerous place. Your office probably has a firewall in place (check anyways if you are the least bit unsure), but make sure you have a proper firewall working at home, AND on your desktop or laptop (where practical/allowed by corporate policy). Yes, they can be a bother sometimes, but weigh the inconvenience against a data breach, virus infection and uncomfortable client conversations about losing their data.
- Practice constant vigilance, and encourage it in everyone around you. You may be always on your toes, but you are more likely to let down your guard when interacting with co-workers, friends and family. The more you educate them about the above practices, the safer they will be, and you will improve your odds of keeping your own technology safe.
As in just about every facet of normal life, there are no guarantees, and no magical security switches to flip on and forget, but taking the above ten practices to heart can better prepare you for rougher aspects of technology and the internet. It also helps to have a guide while you are navigating the twisting paths of technology, and you should always consider C2 Technology ready to help you find your way to success with technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Another day, another social networking site hacked. This time, unfortunately, it was new internet darling SnapChat that was breached, exposing over four million mobile numbers and user names. The hacker(s) who published the data did so purportedly to compel Snapchat to take action on security flaws in its platform that have been known since earlier in the year, but remained unpatched up to (and even past) the public release on Dec 31, 2013 of the information harvested by exploiting the security flaws.
What this means for you:
SnapChat is very popular with younger generations who moved to the service for a variety of reasons, not the least of which was more privacy (from Facebook-savvy parents and authority figures) and less permanence (Snaps are deleted forever within seconds of being shared). Irony aside, the data exposed in the security breach reveals sensitive personal data from millions of individuals, many of whom are probably minors, a demographic that may include your child(ren).
You can check this website to see if any of your family’s mobile numbers were leaked by this SnapChat hack. While the data released isn’t as sensitive as bits like Social Security numbers, birthdates or debit card pins, some other services do use mobile numbers as identifying data, alongside usernames which many people (including Snapchat teens) like to re-use as part of their online “brand.” Armed even with these slender morsels, clever social engineers can wedge their way into someone’s online presence and use it as a stepping off point for a complete takeover of an identity, leading to credit fraud, theft and much, much worse.
German newspaper Der Spiegel launched a media frenzy last week with the provocative story that the NSA can (and probably has) compromise the iPhone in a way that gives them complete “ownership” of the device for the purposes of surveillance. Fueled by documents released by infamous informant Edward Snowden, the article details a specific program called “Dropout Jeep” that could completely compromise an iPhone…in 2007.
What this means for you:
Today, in the internet economy, media outlets have priorities that aren’t always compatible: keep their audiences informed, and get as many eyeballs/clicks/likes as possible. As you can imagine, stories about iPhones and NSA spying are hot commodities right now, so when the two subjects align, how can you not lead with such an explosive story?
Several articles spurred by the Der Spiegel piece speculated that Apple may have been working with the NSA all along. Most suggested that the NSA can and has owned even current gen iPhones. Apple, of course, has denied any collaboration with the spy agency. The NSA itself continues to remain silent on stories like this. But, as mentioned above, the Dropout Jeep program was active in 2007, and required the hacker to have physical access to the device. As many of you have heard me say before, if someone has physical access to your device, compromising the device (regardless of manufacturer or type) becomes much more straightforward. The Snowden document did indicate that the NSA was working on future versions of the spyware that wouldn’t require physical access to the device, but for the moment, there is no proof that they can “own” modern iPhones.
But there’s no proof that they can’t, either.