When laptops and desktops first started shipping with webcams built right into the chassis, people immediately started joking about their computers spying on them, and I saw numerous semi-serious and completely serious attempts to cover them up with tape, post-it notes, permanent marker and just about anything people could put their hands on to alleviate that prickling sensation of being watched. Unfortunately, reality isn’t typically far behind imagination, and you probably aren’t surprised to know that it is completely possible for your webcam equipped device to be hacked, and yes, your webcam activated and watching whatever is in front of it. Not scary enough for you? What about that laptop you just gave your daughter?
Sadly, this isn’t just a scare tactic. ArsTechnica has a chilling article that takes a detailed look into the creepy world of “ratters” – young, mostly-male hackers who use covert Remote Access Terminal software (RATs) installed on compromised computers for the express purpose of spying on and remotely tormenting their “slaves.” RAT software is based on the same technology commonly found in support software used by IT professionals (like C2) to provide remote assistance and control on their customer’s computers. Unlike those legitimate tools, RAT software is designed to being undetectable and easy to install and spread without the victim’s knowledge.
What this means for you:
In nearly every case of malware attacks, especially ones that can deliver a payload like a RAT package, the incursion is typically the result of an action taken by the victim: visiting questionable websites, opening unknown attachments, clicking strange links in emails. Alongside of this is a set of inactions that the user is also guilty of: failure to install reputable antimalware software, failure to make sure the OS and installed software are kept up to date, and of course, failure to remain constantly vigilant! As you’ve heard me say many times, nothing will stop a dedicated hacker from penetrating even the most stalwart of defenses. However, a good malware application and some common sense will put you miles ahead of the less cautious and less safe and typically off the radar of hacking ratters, who are looking for easy targets.
Another simple solution? That piece of tape ain’t looking so bad now, right? Just remember to cover the lens and not the “activity” light for the camera, which will tell you when your camera is possibly watching your every move. As always, if you notice your computer behaving strangely, disconnect it from the internet immediately and call a professional for advice.
Image courtesy of idea go / FreeDigitalPhotos.net
Though it’s no secret to the security world, the US government has specifically avoided naming Chinese state agencies as the source of a tremendous surge in cyberattacks on corporate and government institutions over the course of the past 2 years. On Monday, the gloves finally came off as Obama’s security advisor, Tom Donilon pointed the finger of blame right at China’s military in a speech given to the Asia Society in New York, NY, as evidence gathered by multiple security firms continues to build an unavoidable confrontation on this issue. The Chinese government has of course denied these allegations, but has also said that it is willing to meet with the US and other nations to discuss cybersecurity.
What this means for you:
It’s still very early in the ballgame to decide if this is going to make things better or worse for the average business. At the moment, unless you are on the short list of companies that have information worthy of corporate or state-sponsor cyber-espionage, nothing will change for you, as your threats are likely still coming from the “traditional” vectors: either organized criminal elements seeking to steal from you, or random mischief and mayhem generated by malware controlled by those with less focus and malice. Today, as before, constant vigilance remains the most effective tool in your defense.
Targets of state-sponsored cyberattacks will continue to have a great deal to worry about. Where a “garden variety” attacker encountering strong defenses would normally move on to easier marks, cyber espionage targets will typically suffer through a dedicated, prolong campaign of multiple types of attacks (brute force, trojan horse, spear phishing, social engineering, etc.) because of the valuable data or services protected within and the deep pockets of the government powering their efforts.
It’s not immediately clear what either government hopes to accomplish around meeting on cyber warfare, other than to set up guidelines that will only be used for political leverage when violated by the other party, and probably ignored when it suits either country. As you can imagine, rules like the Geneva War Conventions only work when both sides are willing to abide by them.
Classic car enthusiasts have bemoaned the industry’s shift towards computerizing every aspect of automotive operations, especially things that in the past could be tuned and maintained with a set of tools and a little elbow grease. The rise of technologies like fuel-injection, ABS and automatic transmissions have made our cars some of the most sophisticated electronics we use on a regular basis, aside from our smart phones and computers, and like them, sometimes we know very little about how to keep them operating at top efficiency. A new company, Automatic, aims to change that with a small device called the “Automatic Link” which plugs into your car’s ODB-II port – the same one auto shops use to run diagnostics on any car made after 1996.
The device connects to your iPhone via Bluetooth, and using telemetric data gathered by your car’s own onboard computers, GPS data tracked on your phone, and (presumably) some powerful cloud-based data analysis, will analyze your driving habits and start to put together recommendations on how to drive more safely and efficiently, as well as providing historical analysis of all previous travels in your vehicle including time spent on the road, distance traveled, and average fuel-efficiency. If it spots trouble with one of your car’s systems, instead of flashing a cryptic message code that you have to dig out of your car’s instruction manual, it will again leverage the internet to provide more meaningful clues as to what might be wrong, and then show you nearby highly-rated auto mechanics that can help.
What this means for you:
The Automatic Link isn’t shipping until May of this year, so aside from media hype, all we have to go on are the promises of Automatic’s website. At the moment, it’s only being launched for iPhones, so if you aren’t among the Apple faithful, you are out of luck at the moment. This device is following a growing trend where we are tying larger portions of our lives to our smartphones, which, as I’m hoping you realize, is a double-edged sword. There are a great many benefits to be gained from devices such as this – but at what cost to your personal privacy. No doubt, Automatic has plans for the massive amount of data these devices can gather, and I imagine the demographic information contained within has any location-based business salivating at the prospects.
Among the many things that complicate technology, batteries have historically been a big, heavy, environmentally disasterous anchor around everyone’s necks. Researchers at UCLA have recently announced a breakthrough in producing graphene-based “supercapacitors” that essentially takes the best parts of a capictor and a traditional battery to form what may be as transformative as the discovery of electricity. Graphene-based batteries are envisioned to be able to charge in minutes. On top of this, graphene itself is very eco-friendly (compostable, in fact), durable and flexible, almost the exact opposite of current battery technology.
What this means for you:
I don’t know about you, but my mobile devices always seem to be on low battery at the most inconvenient moments. Even if there is a power plug nearby and you happen to have your charging cable, putting your phone/laptop/camera/tablet down in the middle of a busy day (not to mention a public place like an airport) for an hour or more is just not practical. What may be really eye-opening is if graphene battery technology could be used for electric vehicles, specifically electric cars which have been struggling against “range anxiety” in their adoption and spread. Charging stations, once envisioned as impractical (mostly because of the slow charge times) could literally operate with the same speed and convenience as a traditional gas station, paving the way for a fossil-fuel free future. Say that four times fast!
Image courtesy of digitalart / FreeDigitalPhotos.net
You might not have realized this, but in 2012, US Copyright Office let an exception to the Digital Millenium Copyright Act (DMCA) expire that suddenly made it illegal to unlock a cellphone you owned, for the purposes of using it with a different carrier. Passed in 1998, the DMCA covers many areas of modern technology, but the exception essentially allowed consumers to unlock phones like the Apple iPhone themselves, as opposed to purchasing a (much more expensive) unlocked phone or asking/paying the carrier to unlock the phone for you after you’ve paid for the phone through a subsidized contract. Though the exception lapsed late last year, the Whitehouse and the FCC have both issued statements urging Congress to legalize unlocking.
What this means for you:
In the US, unlocking your smartphone doesn’t have quite the same value as it does in other parts of the world, primarily because the two largest carriers operate networks that use two different technologies that are not found in any one phone. For example, if you had an AT&T iPhone, you can’t unlock it and move to Verizon, because the actual hardware will only work on GSM networks (Verizon is a CDMA-based network) but you could use it on T-Mobile’s network. The carriers aren’t really interested in seeing the exception renewed, primarily because it narrow’s consumer choice and “locks” unknowning customer with technology that, while simple to crack, is technically illegal to actually do without the carrier’s permission.
The issue rarely surfaces for most consumers anyways, as the carriers offer “free” or heavily discounted phones (with a multi-year contract, of course!) to “new” customers, so most opt to get something shiny and new, versus unlocking their 2-year old phone. The issue here is really more centered around protection of consumer rights and the fact that if you own something, you should be able to do whatever you want with it as long as it isn’t impacting the well-being of others. Unfortunately, the Whitehouse and the FCC can’t do anything about the DMCA or renewing the exception because the Copyright Office is governed by Congress. And we all know how productive they’ve been lately.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In what many analysts are seeing as another setback for beleaguered BlackBerry, the US Department of Defense has now announced that it will start allowing the use of iPhones and Android devices in a space that was once the domain of BlackBerry devices. In the early days of mobile email delivery, BlackBerry devices were designed for enterprise-controlled security, where as the other email-capable devices still relied on immature internet standards, or like Apple’s early iPhones, completely eschewed corporate control. Because of this, BlackBerry became the defacto standard for any business that valued security over style, including pretty much every government agency around the world.
What this means for you:
Don’t count BlackBerry out just yet, but the count is getting shorter and shorter, and at some point the referree might need to stop the fight. The Pentagon isn’t getting rid of BlackBerries (that would be a haymaker they won’t get up from), but they are now opening up the space for departments to use solutions from other vendors (namely Apple and Android). This is a signal to the rest of the world that might have been sceptical of iOS or Android’s security status that if the world’s most powerful military is willing to consider using iPhones and Androids, maybe those platforms have finally caught (and passed) BlackBerry on the security front.
As of February 26, 2013, five of America’s largest internet service providers will be putting into effect a copyright policing and enforcement program aimed at curbing online piracy of copyrighted digital content. Officially known as the “Copyright Alert System” but dubbed “Six Strikes” by the media and watchdog groups, the program is the result of a collaborative effort between the entertainment industry and the five ISP’s (AT&T, Cablevision, Comcast, Time Warner Cable and Verizon) aimed at stemming illegal piracy made trivial and commonplace by peer-to-peer filesharing protocols like BitTorrent and popularized by infamous sites like The Pirate Bay. According to the Center for Copyright Management (formed specifically to manage this program), the aim of CAS is not punitive, but educative. ISP customers suspected of engaging in infringing behavior will be warned multiple times, may have their bandwidth limited or accounts temporarily disabled until they attend what you might think of as the copyright law version of traffic school.
What this means for you:
The subject of copyright infringement is a touchy subject on the digital frontier. As you might have suspected, there is a lot of money at stake, and the entertainment industry has enough lawyers to invade a small country. They also have plenty of powerful friends in Washington, DC who aren’t above floating ruinous legislation to protect Hollywood’s royalties at the expense of hard-won digital freedoms and privacy. Rather than seeing everything setback decades by politicians and lawyers, the ISPs have struck a deal with Hollywood to police themselves to keep the government out of their business. Digital rights activists have raised a stink about the “Six Strikes” program, primarily because several of the big 5 haven’t really formalized the rules that will be used to govern how infractions will be handled. On top of this, there is a $35 charge to appeal any supposed infraction, driving the “innocent until proven guilty” crowd into a frenzy. It’s still way too early to tell if or how this program will work, but it’s moving forward, whether the internet likes it or not.
Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.
How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.
Apply Common Sense
Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.
Who’s the email from? And who is the actual recipient?
In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.
In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.
But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!
Are the embedded links legitimate?
Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)
In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?
What this means for you:
These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.
In a rare public admission, Apple has indicated that some of its own internal Macintoshes have been compromised in a cyberattack that security researchers believe similar to the one that breached Facebook last week. Announcements from Apple of this type are very rare, as Apple has long touted one of the strengths of its platform was how “unhackable” it was compared to Windows. In this particular case, Apple has little to lose, as it’s pointing the finger of blame for the hack at Java and a vulnerability that was taken advantage of to gain access to Apple employee computers.
What this means for you:
Apple’s recent breach is just one more notch in cybercrime’s belt that includes a long list of illustrious companies like the Wall Street Journal, Twitter, Facebook, Jeep, and Burger King, not to mention the numerous intrusions of government agencies and countless hacks of businesses that go unnoticed and un-reported. In the case of the Apple and Facebook breaches, the source has been tied to a mobile development website that both company’s employees accessed, and according to both companies, there appeared to be no evidence that customer data was compromised in the attacks. As I’ve maintained all along, the business world is now entering a new age of security unknowns as serious criminals continue to exploit technology to serve their needs, and are able to outspend and outgun the average small and medium size business. Before the age of computers and the internet, your odds of being targeted by a criminal organization were minute compared to today, where organized crime can now “crowd-source” affiliate-based networks that pay anonymous hackers in any number of a dozen untraceable ways to rent out zombified computers and webservers by the hour for a handful of dollars, and use pre-scripted attacks to launch massive, shot-gun targeted campaigns that only need to snag a small percentage of victims in order to be profitable. This is not some imaginative, cyberpunk movie plot – it’s happening right now, as you read this article. Moving forward, the only way to combat this growing threat will be a combination of vigilance and smart investments in security technology, policy and training.
Industry analysts are taking off their rose-colored glasses after examining the results of BlackBerry’s largely lackluster launch of their OS 10 platform. Original estimates had the newly renamed company (formerly Research In Motion) selling as many as 1.75 million new phones following the Jan 30 debut. Using words like “soft launch” and “modest demand”, analysts are now revising their estimates down by as much as 83%, putting BlackBerry’s comeback into serious doubt.
What this means for you:
It’s probably too early to call it, but BlackBerry really needed a big splash with the 10 launch and to keep surging forward with momentum to stay on par with upcoming anticipated Samsung and Apple launches on tap for Summer. Early reviews indicate that version 10 phones have caught up with the competition, but the technology hasn’t leapfrogged the competition, something BlackBerry really needs to do to gain any footing in this market, as they can’t outspend Google, Apple or even Samsung. If your company is heavily invested in BlackBerry and still supports it for corporate communications, you can’t go wrong with a Z10 or Q10, as long as your IT department has committed to keeping their BB infrastructure current. If they seem even the littlest bit wishy-washy on that subject, or they already support Android and iOS devices, you’ll make a safer investment in another platform.