Many of you already know this because you, or your company has partially, or even fully embraced this concept: technology continues to expand the way businesses can take advantage of remote workforces and telecommuting. According to BusinessInsider.com, the number of people working remotely or telecommuting in the US has grown by nearly 80% from 2005 through 2012. However, the actual number of people working in this fashion (3.3m, not including the self-employed) still only comprises less than 3% of the total American workforce.
Despite the gains telecommuting has been making in the business world, many more companies still cling to the more traditional office-bound cultures, even such as Yahoo, where former Googler and now CEO Marrisa Meyer infamously rescinded Yahoo’s extensive telecommuting labor policy, citing the need for more teamwork and collaboration. This is perhaps the most popular justification for eschewing a dispersed workforce, but many successful small business, both startups as well as established business are taking advantage of the decreased overhead and a happier, more productive workforce, and the internet is making collaborating over distance easier every day.
What this means for you:
As a small business owner, or someone who is looking to shake up the culture of a more traditional work environment, the arguments for decreasing real estate expenses, infrastructure costs and administrative overhead will come fairly easily. However, be prepared to answer how you will maintain or even improve collaboration and teamwork, especially now if your staff can no longer pile (physically) into a single conference room with a few minutes notice. Security, standards compliance, quality control and performance management will also require new processes and new ways of thinking, and as we all know, change never comes easy, especially when someone’s paycheck or dividend is on the line.
All of the preceding challenges can be met with current technology that is affordable and often easy to use, but if you buy a bunch of laptops and webcams and ditch the cubicle farm without preparing both your people and your business, you may be in for a rude surprise. As is always the case, plan carefully how you implement technology: the easiest step is purchasing shiny new toys. The hard part is implementing them properly and securely, and making sure they are properly aligned with your business.
Image courtesy of jannoon028 / FreeDigitalPhotos.net
As predicted, the zero-day flaw in multiple versions of Microsoft’s web browser, Internet Explorer, is now being actively exploited by multiple APT (Advanced Persistent Threat) groups in attacks that are targeting large numbers of people. The most publicized and successful of these attacks have been focused on government websites. Their primary purpose: to install rootkits on government worker machines to facilitate access to confidential government documents. On top of the growing number of attacks leveraging this weakness, the Metasploit framework (an open source hacking tool used by security researchers and white-hat hackers) just released a module to the public that demonstrates how this security flaw can be used to hack IE, theoretically making it even easier for malicious agents to understand and develop their own exploits. Microsoft has yet to say when a patch will be released to fix this weakness, which affects just about every version of IE from 6 through 10.
What this means for you:
If you are using Internet Explorer, whether by corporate mandate or by choice, make sure you’ve applied Microsoft’s temporary fix, or ask your IT guy if they’ve distributed the fix throughout the company. If you work for the government, either as an employee or contractor, be extra wary of strange behavior on your computer, and ensure that your antimalware software is fully functional and up to date.
If you are using some other browser, you don’t have to worry about this particular exploit, but as always, remain ever vigilant and make sure your OS, software and antimalware are fully patched!
You thought you’d done a good thing: you finally listened to all the warnings and locked your iPhone with a passcode or, if you are one of the lucky few with a shiny new 5s, the new fingerprint lock. Sadly, one of Apple’s other famed technologies may betray you in the end. An Isreali security analyst has uncovered a significant flaw in iOS7 security when access to Siri on your iPhone’s lockscreen is enabled. The problem is part convenience and part bug: using Siri while your phone is locked allows you to make calls without having to punch in a passcode, something that is indispensible while driving, or when your hands are otherwise occupied. Unfortunately, using Siri in this manner leaves a back door open in the form of unfettered access to the phone app, while your phone is still locked. Oh, and did you remember that Siri responds to anyone’s voice, not just the owners?
What this means for you:
“How bad could this be?” I hear you asking. While in the phone app, the user can access the phone’s voicemail, send text messages, view the calendar and look through all the contacts in your phone. If you don’t consider that private, you are part of a very small minority on this planet. The fix is simple: disable access to Siri from the lockscreen. The recommendation: do it now if you care about your phone’s security. It’s likely Apple will fix this flaw, but will they do it in time to protect your confidential data?
A new app has appeared on Google’s Play store that purportedly offers Android users the ability to chat with iOS users via Apple’s iMessage platform, and it has security eyebrows raised, primarily because it wasn’t released by Apple. Cydia (app store for jailbroken iPhones) developer Jay Freeman delved into the code of “iMessage for Android” and discovered another alarming fact: the app appears to be authenticating not through Apple’s servers, but through some unknown platform in China, even though it requires a legitimate Apple ID to work. Another developer also noted that this app has the ability to silently download code to your Android smartphone, a permission that could lead to a malware infection. The app is very new and these security peculiarities have yet to be widely verified, but it has already been downloaded from the Play store over 10,000 times.
What this means for you:
Firstly, your Apple ID (which may have money and many, many apps, songs, movies, etc. tied to it) is being passed through an unknown server in China. There is no guarantee that the owners of that server aren’t collecting these IDs for nefarious purposes. Add this to the fact that the app can download code without notifying you, and the scales are now dipping alarmingly towards “dangerous” if not outright “malicious”. Also at stake is the trustworthiness of Google’s Play Store app vetting process – how could this app have possibly made it through without raising some red flags. Sure, there is no love lost between Apple and Google, but Google is usually smart enough to not poison its userbase with a dodgy app just so Android users can text chat with iOS users. It remains to be seen whether this app is truly on the up and up, but all signs indicate otherwise at this point. I’d err on the side of caution and avoid installing this app for now. If you really need to talk to that iPhone user, just send them a text!
Image courtesy of Idea go / FreeDigitalPhotos.net.
When you are king of the mountain, everyone lines up to take a shot at you, and the iPhone is no exception. In this particular case, security analysts were taking bets on how long it would take for someone to defeat the brand-new iPhone 5s fingerprint scanner. They didn’t have to wait long, as it seems a German hacking group known as the Chaos Computer Club was first to publish a technique they claim will defeat Touch ID’s technology. Though the claim has yet to be independently verified, it has the same trappings as the infamous “gummi bear hack” that poisoned public perception of biometric security measures over a decade ago. In a nutshell, the hack requires a high-resolution scan of the target’s fingerprint, which is then used to create a fake finger from a laser printer and a thin layer of latex.
What this means for you:
According to the Chaos Computer Club, their intent behind publishing the findings was to demonstrate to the public the weakness of fingerprint-based security, pointing out two very obvious weaknesses: (1) we can’t change our fingerprints if they happened to get compromised, and (2) we leave them everywhere we go. Whether or not CCC’s technique proves replicable, it is only a matter of time before other techniques are published, and their points still stand. Multi-factor authentication methods can surmount this particular problem, as can biometric patterns that aren’t so easily replicable (such as your cardiac signature), but the fact remains that the easiest method to gain access to your phone is for someone to gain access to one that isn’t protected at all, either by fingerprint, pin or password. Unless the only thing you use for smartphone for is games, you should always have some form of protection on your phone, and doubly so if you use it to conduct work.
In case you were worried that Internet Explorer might be gaining ground as a secure web browser, security researchers have uncovered another zero-day vulnerability that is actively being exploited in version 8 and 9 of Internet Explorer. I’ll spare you the gory details but the gist of the hole is such that it can be exploited in a simple “drive-by” attack, and doesn’t even require interaction from the user. Sadly, this weakness seems to afflict all versions of Microsoft’s web browser, including the yet-to-be released version 11. Microsoft is aware of the issue, and is working to plug the hole, but could be weeks away from a formal fix.
What this means for you:
If you are using IE 8 (extremely likely if you are still using Windows XP), or IE 9 (also likely throughout much of the corporate world), there is a Microsoft Fixit that can be applied, and enterprise IT shops can address this centrally if they are running well-managed computer fleets. If you are leery of applying temporary patches and are not restricted to using Microsoft’s browser, you can give Chrome, Firefox or even Safari a try until Microsoft issues a formal patch for this exploit. At minimum, make sure your anti-malware is up to date and working, and watch carefully for suspicious behavior while surfing the internet, especially if you are visiting new/unfamiliar websites.
Anyone who’s watched a Hollywood thriller in the past three decades is familiar with biometric scanners, and along with it, the various means movie villains have used to subvert these systems, including methods that would be horrifying to consider when applied in real life. Now that the new iPhone 5s has a fingerprint scanner, those of us with more vivid imaginations have envisioned a new rash of thefts paired with bodily mutilations. Fortunately for everyone, the manufacturers of the fingerprint scanner on the new iPhone have stated quite clearly that the only way the scanner will register a proper fingerprint is if the finger is still attached to its living owner.
What this means for you:
It’s too soon to tell whether or not the technology in Apple’s latest smartphone is subject to the same hacks that rendered earlier incarnations useless for serious authentication. There are also concerns that Apple, or even the NSA could be gathering fingerprints for their super-surveillance database. Given all the attention the NSA has already been given regarding its privacy invasions, it’s a safe bet that they are going to steer clear of this particular minefield (at least for the time being) and Apple is also savvy enough to avoid alienating its passionate fanbase with such a heavy-handed misuse of their personal privacy.
Frankly, if the convenience of the fingerprint authentication gets you to secure your iPhone where before you did not, then I’m already a fan. For you Android users out there jealous of Apple’s spy gadget tech, have a look at Nymi, and watch for other biometric gadgets to arrive, especially now that Apple is trying to make them sexy again. You should always secure your mobile devices, especially if you use them to access email or work data. As we can all attest, passwords and pins are a big hassle, especially when you are on the go, but you should never let your phone out of the house without one.
Image courtesy of thawats / FreeDigitalPhotos.net
True to form, Apple announced at a press event today the arrival of the iPhone 5s and 5c. I’ll keep this one short, so you can get down to the business of deciding whether or not you are buying one!
What this means for you:
The 5c is Apple’s rumored budget phone. Priced (with 2 year contract) at $99 for a 16GB model, and $199 for the 32GB, this model replaces the metal with plastic, and comes in five bright colors. Aside from that and the fact that it ships with iOS 7, it’s functionally the same hardware as the iPhone 5 released last year. If you’ve been on the fence until now about buying an iPhone because of the price, this may hit your sweet spot, assuming you don’t mind the 2-year commitment.
The 5s features a faster processor; early tests show a 30% speed increase but Apple claims up to 2X faster performance. It also comes with a fingerprint scanner to unlock the device, and a new, low-power chip that is designed specifically to work with fitness apps (hinting at the imminent arrival of an “iWatch”), and an improved camera. This one is priced at the expected $199/$299 price point (with 2-year contract, of course!) and is available in Gold, Silver and “Space Gray”. This will be a tougher sale for a lot of people, especially since rumors are flying that the iPhone 6 may be released in early Spring 2014 as opposed to the usual timeframe of late Summer, early Fall. The 5s isn’t a huge leap forward from the 5 in terms of hardware specs, so don’t buy one expecting a big performance increase.
If you are holding on to an older model iPhone 3 or 4, the 5s would be a nice step up. If you are budget conscious, or considering a new phone for your pre-teen or teenager, the 5c may be a great choice to hook up your kids without breaking the bank.
Despite the advent of wifi technology which has made staying connected a much more elegant, wire-free affair, we are still tethered by the ever-present power cord. Just about everyone who has traveled with electronics has cursed the forgotten power cord, and probably thrice cursed the tangled knot of cords they did remember to bring. Induction charging has attempted to answer this nagging first-world issue, but adoption of the technology has been slow, and it hasn’t conquered the primary complaint: your devices are tethered not with physical wires this time, but by the need for contact with the induction surface.
Enter surprise start-up Ossia and their product, Cota. Making their debut at the TechCrunch Disrupt13 conference, Ossia founder and physicist Hatem Zeine has developed a technology dubbed “Cota” that can safely power devices wirelessly, at a distance and through walls. The technology is still in the prototype phase and is slowly making its way through the FCC approval process, but Zeine was able to provide a live, on-stage demonstration of an unmodified iPhone being charged wirelessly from the prototype at a distance of several feet. The company’s initial foray into production is aimed at industrial applications where wireless power delivery is a top priority, such as powering remote sensors in a refinery, where electrical sparks are a constant worry. Ossia aims to to have a consumer product by 2015, which is envisioned to consist of a charging station approximately the size of a desktop tower PC, and will be partnered with a variety of receiving platforms such as built-in electronics, battery replacements and add-on receivers for legacy devices.
What this means for you:
We’ve a bit of a wait until the Cota arrives for consumers, but given the world’s aggressive adoption of mobile electronics and fondness for wireless aesthetics, it’s likely that even if Ossia fails, other companies will rise to the challenge. According to Zeine, the technology is as safe as current Wifi technology probably permeating your house and office right now, as it works in the same frequency spectrum. Whether or not you believe that platform to have any health implications is probably moot if you live or work in any urban first-world environment, as you are “soaking in it” as we speak. Assuming the health question is resolved to everyone’s satisfaction, Zeine is predicting a complete paradigm shift in how we look at mobile technology, envisioning a world without batteries and the concept of “charging” made obsolete by an omnipresent power source. Are you ready to ditch the power cords? It may be coming sooner than you think!
If you’ve taken to heart any of the security advice or practices that I or many other technology professionals have been dispensing for the past few years, you’ve probably developed a healthy skepticism for any emails that land in your box that are unexpected and contain unfamiliar links. Even more so if your email provider marks the email as spam or a possible phishing attempt.
For example, I recently received an email with the subject “iPhone iPod touch Class Action Settlement” that was immediately marked as spam by Gmail. This email purportedly offered me a part of a class action settlement with Apple. Seeing how many people own iPhones and iPods, it seemed like good phishing bait so I assumed this was yet another scam. It had all the trappings of a well-made con:
- broad target demographic
- based on a recent, actual event
- contained lots of official-sounding text that didn’t read like a 4th grader wrote it
- no overt clues that the sender was an obvious bad agent (non-US domains, inappropriate reply-to addresses, spoofed mail headers, etc.)
It would probably lure people into clicking a link that would either load up their machines with malware, or entice them into giving up some personal information that would later be used in an identity theft attempt. I opened it up with the intent of warning my audience and clients about the potentially well-crafted fraud.
As it turns out, this is a legitimate email that Gmail incorrectly identified as spam, probably because the sender was flagged as a spammer by justifiably suspicious readers like you and me. A little research online reveals this is part of the original case that made headlines back in May of this year. Emboldened by this information, I used Chrome (bolstered by a variety of anti-scripting extensions) to visit the included link, and, lo and behold, it’s a legitimate website. Because of the relative newness of this initiative, there isn’t a lot out on the web about this yet, so unless you are an experienced internet researcher, your searches might have come up with little evidence that this was a legitimate email.
What this means for you:
Most cautious internet citizens might have trusted their email provider’s guidance on this and just deleted this email, potentially missing out on as much as $200 as a settlement award. False positives are an unfortunate side-effect of a proper security protocol, and in this case, even Google didn’t provide enough information to immediately assuage my suspicions, and a few search results actually led to conversations where people immediately labeled it as a scam. Sometimes the internet does not provide instantaneous answers, nor is it always right, and as always, you should always take your search results with a grain of salt, especially if there is money at stake. If your search results turns up a dearth of information, your best course of action is to wait a few days for the internet to catch up (it always does!) and research again, or to contact a tech expert like C2 Technology to get a second opinion.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net