It’s nice that Microsoft can keep guys like me busy. Luckily, exploitation of their latest zero-day weakness seems to be limited (so far) to an advanced persistent threat (APT) attack targeting users of a specific national and international security policy website. This particular exploit is being delivered in a traditional “drive-by” attack when users of the English-version of Internet Explorer (specifically IE 7 and 8 on Windows XP, and IE 8 on Windows 7) visit this website. What distinguishes it from past threats is this malware’s ability to write malicious code directly to memory and then execute without writing to disk, a technique that makes detection and remediation much more difficult.
Microsoft intends to release a patch for this vulnerability as early as tomorrow (Nov 12). This is very fast for someone like Microsoft, and may be an indication of how serious this particular vulnerability might be.
What this means for you:
Though the exploit seems to be narrowly targeted at the moment, security researches say it wouldn’t be hard to manipulate the existing attack software to affect all versions of IE from 7 through 10, and any language in which IE is distributed. Assuming you have the leeway to do so, I still recommend using another browser like Chrome or Firefox, which still have a better track record when it comes to catching and patching weaknesses like the above. If you are required to use IE, make sure Windows Update is functional, and that you apply all critical and important updates as they are downloaded to your computer. Larger companies may control how frequently Windows Updates are applied in their enterprise, but don’t be afraid to ask your resident IT representative if they are taking steps to keep Internet Explorer safe for your use.
Microsoft zero-days seem to be happening so frequently, I’m running out of clever bon-mots to introduce these warnings. “What now?” I hear you ask. Users of Vista (Windows machines circa 2007) or Server 2008 (still in wide use everywhere) are affected by a vulnerability in versions of Microsoft Office 2003-2010. Let’s skip the gory technical details: this exploit uses a hacked image inserted into a Word document to run code that can lead to the victim’s computer being completely compromised and subject to remote control. Microsoft has not yet announced a patch for this vulnerability, but they have released a Fixit that can be run on the targeted machines to close the security hole.
What this means for you:
Security analysts are already seeing attacks utilizing this vulnerability in the wild in Asia and the Middle East, so it’s only a matter of time before victims start cropping up here in the US. If your Windows machine is running Vista, it’s highly likely you are also running a version of MS Office affected by this vulnerability. Run the Fixit immediately and consider upgrading your OS. If you have Microsoft-based servers in your environment and they are more than a year or two old, it’s highly likely they are running Server 2008, but less likely that Office is installed on the device. Your server administrator will know best how to handle this particular issue. As always, contact the sender to verify any unexpected attachments before opening them, make sure your computer is fully patched and protected by up-to-date antimalware, and double-check that your data is backed up, preferably to an offsite and fully encrypted location.
While analyzing the data trail of the recent, highly-publicized Adobe security breach and data theft, researchers also discovered data that appears to have been stolen from a prominent online broker of limousine and towncar services. Among the some 850,000 customer records discovered were such illustrious names as Donald Trump, LeBron James and Tom Hanks as well numerous other wealthy and/or famous individuals. The data also included credit card information, pickup times and locations and even ID numbers of private airplanes used by this company’s customers. The records also included notes on customer behaviors and activities including a number of tidbits that could prove embarrassing or even potentially incriminating. Even if the data were to somehow avoid falling into the hands of police or tabloids, it’s highly likely that cybercriminals will have already cherry-picked many of the customer records for their potential use to fuel spear-phishing attacks and other focused cyber-espionage attempts on corporate and government targets.
What this means for you:
You may have enforced rigor and discipline in your own technology, to the point where you feel fairly confident that you can avoid most attempts to compromise your technology security, but the above points out an uncomfortable reality: you cannot control what information is being gathered about you whenever you interact with the rest of the world. You have two choices here: acceptance and vigilance – be watchful and cautious, and come to grips with the fact that 100% security is impossible, or move to a bunker in the wilderness, off the grid and completely isolated from society. However distasteful and infuriating the former may feel some days, the latter is just not a practical choice (or even possible) for most people.
Knowing full well that American Express is the credit card of choice for many professionals, cyber criminals are targeting AMEX customers in a wave of convincing phishing emails. The emails appear to be from AMEX stating that fraudulent activity has been detected on the recipient’s card, and provides a link for the user to update their information. The link actually leads through a series of redirection scripts on compromised websites and eventually lands the user on a website that has the outward appearance of a legitimate AMEX website. This site’s sole purpose is to collect critical personal data such as your Account ID, Social Security Number, Mother’s Maiden Name which will shortly be used to perpetrate some actual account and identity theft.
What this means for you:
By now you should naturally be suspicious of any emails that show up in your inbox asking you to reset your credentials, especially if you did not explicitly perform a password or credential reset. Rolling over the links in the emails will show you the destination URL, and if the link isn’t one you recognize, stop right there and trash the email. Even if the URL looks legitimate, don’t use the link in the email. Go to your credit card website by manually typing in a URL that you know is good. Not sure what the URL is? Look for one printed on the back of your credit card, or failing that, just call the customer service number via phone. As a rule, credit card companies and banks will notify you via phone of suspected fraudulent activity, so emails like this should always be viewed with a healthy amount of skepticism.
For many professionals, LinkedIn plays an important role in their ability to network and market themselves to others, but the primary business tool of choice for just about everyone is still email. Realizing this, LinkedIn has created an app (currently only for iOS) that puts a lot more LinkedIn into your email. The app, dubbed “Intro”, is designed to provide you LinkedIn profile information (if it exists) of your recipients while you are writing your email, as well as automatically inserting an “Intro” banner that includes your profile information into every email you send. It’s this latter function that has security analysts up in arms, because in order for Intro to do its thing, it requires the user to switch their email server from the provider to LinkedIn’s own mail servers, which in turn authenticate on the user’s behalf while inserting the Intro snippet into each email as it makes its way through LinkedIn’s service. You read that right: every email you send using Intro goes through LinkedIn’s servers as well.
What this means for you:
For decades now, hackers have used a similar technology process to compromise security systems: the “Man in the Middle” attack basically tricks a computer into sending information to an alternate destination, which then forwards on the information to the intended destination, all the while pretending to be the original sender, with neither endpoint being the wiser. In this manner, the “man” in question is able to collect any information passing between the two points, including passwords and other sensitive information. Obviously, LinkedIn’s Intro app is purposefully inserted into the middle of a user’s email by the user himself, but the principle remains the same, and, at minimum, complicates security. Think of it as an email “love triangle.”
On top of this concern, security analysts have already figured out a way to spoof the information Intro inserts into your emails, essentially “weaponizing” Intro’s banner to carry any sort of payload the hacker would like, including links to hijacked websites. Imagine if you sent your client an email with a compromised LinkedIn Intro banner that led to them getting infected and their information destroyed by a virus. For now, I’d recommend sticking to inserting your own signatures into your email (which can include a link to your LinkedIn profile) and waiting a few months to see if LinkedIn has worked out all the security concerns in their new app.
Earlier this year, CEO Thorsten Heins of beleaguered tech company BlackBerry infamously stated, “In five years I don’t think there’ll be a reason to have a tablet anymore.” The press had a field day with this quote and the explosive growth of tablets in 2013 alone seems to be proving otherwise. As if to rub Mr. Heins’ and other tablet-doomsayer’s faces in it, October is seeing the launch of multiple new tablets, including new lineups from Microsoft, Nokia and Apple, all essentially debuting on the same day.
Apple dominated the American media on Oct 22 with the debut of “the lightest full-sized tablet” on the market, the iPad Air, weighing in at a diminutive single pound. It also updated the wildly popular iPad Mini with its high-resolution “Retina” display, bringing the 7″ tablet up to par with competing models from Google and Amazon. In an attempt to not be out-done (and sadly not quite succeeding in that effort), Nokia announced its first tablet today as well. The Lumia 2520 will run Microsoft’s Windows RT, a move that analysts questioned given the tepid consumer response to Microsoft’s tablet OS, but is not unexpected in light of the Redmond tech-giant’s recent acquisition of Nokia’s hardware business. Not wanting to be left out of the tablet party, Microsoft held its own midnight release event on Oct 21 at its retail stores around the country to celebrate the arrival of the Surface 2. Despite loud music, flashy displays and enthusiastic staff, the Surface 2 launch parties seemed to be (unsurprisingly) sparsely attended.
What this means for you:
If you’ve been holding off on buying a tablet for some reason, the market is currently overflowing with choices, and many of them are very strong on features and backed by staunch developer support and healthy ecosystems, notably the iOS and Android family of products. Though many are saying it’s too early to tell, the Windows RT and Windows 8 tablets have a stiff, uphill climb in the market, something that is keeping developers away from the OS, leaving Microsoft’s app marketplace relatively barren compared to the competition. There’s been a minor stir of interest in the Surface tablets from the arts industry, primarily because of the hardware’s robust pressure sensitivity, but unless you have a specific use case in mind, I’d steer clear of the Windows tablets for now. If you’ve been concerned about the size and weight of the 10″ tablets (very hard to use as bedtime readers or if you spend any time as a standing commuter) you can’t go wrong with a 7″ tablet from either Apple, Google or Amazon, all of which now feature high-definition screens, robust app stores and great portability.
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
Only seven months after a major redesign that many considered a huge flop, Yahoo has unveiled major changes to its Ymail service, and it has its users up in arms again. The new features like conversation threads, themed background images and a massive terabyte of storage are clearly following in Gmail’s footsteps, changes that weren’t unexpected, given that Yahoo’s CEO, Marissa Meyer was one of the core designers of Gmail when she was at Google.
What this means for you:
Yahoo Mail is the second largest webmail service in the world, and very close on the heels of Gmail. Feature changes like the ones above are attempting to build on Google’s successes, but as many customers have noted in the large volume of complaints, the main reason they use Yahoo Mail is because it is not Gmail. The biggest change seems to be the removal of the Mail Tabs feature, something that nearly 40K users have voted to have Yahoo reinstate. Users are also complaining about numerous bugs that appear to have never been quashed from the last time Yahoo messed with its email service. Seemingly heedless to the outpouring of complaints, Yahoo has issued press statements reiterating the need for the company to progress the development of its services into a “…more modern and personalized Yahoo!” Perhaps that development means some loyal fans will be left behind.
Adobe dared what other software companies have only dabbled in doing: converting their entire, hugely popular software library into a rental-only commodity. Why do software companies aspire to this model? As you might suspect, users of expensive software packages like Adobe’s Creative Suite or Microsoft’s Office products are able to enjoy multiple years of use from the software before reluctantly upgrading, a consumer trend that bodes ill for any software manufacturer bottom line. The solution: make your highly desirable products only available for rent, or in software parlance: “subscription-based”, guaranteeing you a regular income that will make shareholders dance with glee. While this move has angered a large number of Adobe users, the software company was able to pull the plug on ownership because of the virtual stranglehold it has on this particular category of software, especially its flagship products Photoshop, Illustrator and Lightroom, for which there is virtually no competition its users are willing to consider.
What this means for you:
Adobe’s success (or failure) will determine how other companies proceed. Microsoft already has an extensive subscription-based offering of its productivity suite, which can be rented for what most in the business world consider to be a fair price, especially seeing as how critical Office is in daily business, but “rentals” are only a fraction of its overall sales, which still come through more traditional licensing channels. Annual licensing and maintenance has long been an accepted and expected revenue generator on the enterprise side, a means to bolster profits from an ownership model that came from lengthy software development cycles that are growing shorter and shorter every year. Adobe’s justification behind the subscription model maintains that subscribers will be able to enjoy continuous improvement to and expansion of their products. The question remains, however, whether business is ready for applications and platforms that continually change. While new features and improvements are always welcome, the constant change also present bugs, security holes and training challenges that are definitely not covered by the subscription. Where before companies could control the rate at which their critical business software was changed, now they may have to join a race in which the finish line is constantly moved away from the partipants.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Google’s New Advertising Shill: You!
MetaFilter user Andrew Lewis coined a phrase that has become the rallying cry for internet privacy watchdogs over the past 3 years, “If you are not paying for it, you’re not the customer; you’re the product being sold.” He was speaking of Digg’s redesign in 2010 in which the emphasis of the site shifted away from user-centric content curation and towards a model that was clearly intended to monetize Digg’s large userbase. Since then, the phrase has been applied to many services, including the 800-lb gorilla of free internet services, Facebook, and dozens of other social media sites that use advertising money to fund their “free” services. Savvy users will note that Google has been leveraging this model on a less obvious (but no less profitable) basis ever since Google search arrived and Gmail extended its tendrils into millions of users’ daily online existence.
The subtlety was cast aside boldly last week when Google announced a change to its privacy policy that granted itself the right to utilize its users’ likeness and content authored on any one of its many properties to advertise to other users. This includes content and reviews written by users on G+, YouTube, Zagat, and the Google Play store. The new policy is the default, and users must opt out if they prefer to not participate in this endorsement model. Clearly, Google is hoping to entice advertisers with the very real impact of recommendations made to users by people they know. But many are angered by this change, and the internet outrage is spreading.
What this means for you:
If you have a Google account, then you are automatically opted in to this advertising model. To opt out, you must go to your Account settings under the Google+ section, and look for the “Shared Endorsements” link to disable your participation in the program. If you actually go do this, you’ll note that Google has written quite the argument as to why you might want to stay opted-in: “Your friends might not be able to benefit from your wisdom.” Depending on your level of participation in online reviewing/commenting/rating, participating in this program may be no big deal, or a very big deal. Either way, you should consider the implications for your online brand, whether current or planned, and the impact on your privacy, especially if your face and words could start appearing on thousands of monitors around the world.