For those of you who haven’t seen the Amazon Echo in action yet, it can be quite an eye opener. We are quickly converging on an environment that was not long ago considered science fiction. The Echo can quietly sit in the corner of your room, waiting for anyone in the family to give it a command, whether it’s to play some music, check the weather or order something from (surprise surprise!) Amazon. It’s also a perfect example of technology racing ahead of the law, and unlike the ongoing controversy around email and ECPA, the stakes are much higher because of who is allegedly at risk: our children. I’ll admit that this may seem a bit melodramatic, but the Guardian US isn’t wrong when pointing out that Echo and other products like it (think Apple’s Siri and Google Now) might actually be in violation of COPPA. For those of you in the room who are not lawyers, this is the Children’s Online Privacy & Protection Act of 1998 which, among many things, prohibits the recording and storage of a child’s voice without explicit permission of their parents or legal guardian.
What this means for you:
Even though I am a parent of young child for whom COPPA was enacted to protect, it hasn’t been too hard to suppress the urge to disconnect and discard every voice-activated, internet-connected device we own (which would be quite a few, including my daughter’s precious iPad). As with many technology items that dance on the edge of privacy invasion, I weigh the convenience and value they bring against the loss of privacy and security they inherently pose. I do see the problems technology like this presents: thousands (possibly millions) of parents set down products like Echo and Siri right in front of their children precisely because using them is simple and intuitive, and in the case of Echo, they are actually designed for use by everyone in the family. However, most people probably don’t realize that today’s voice recognition technology relies on pushing recordings of voice commands to the cloud where they are cataloged and processed to improve algorithms. Not only do those recordings store our children’s voices, they are also thick with meta data like marketing preferences, “Alexa, how much does that toy cost?” and location data, “Alexa, where is the nearest ice cream shop?” I’m pretty sure none of us gave explicit permission to Apple before allowing our kids to use Siri on their iPads and iPhones. If you were to adhere to a strict interpretation of COPPA, Apple, Amazon and Google (as well as many others) have an FTC violation on their hands that could cost them as much as $16,000 per incident.
As for your Echo (or smartphone or tablet) – only you should judge whether it’s an actual risk to your child. For the moment, the law is unclear, and knowing our government, likely to remain so long after the buying public makes up its own mind.
In what appears to be a record breaking breach, the information exposed when MySpace was hacked in 2013 has finally been publicly documented by website LeakedSource as containing nearly half a billion passwords for 360 million accounts, dwarfing previous breaches like the US Voter Database Breach (190M), Ebay (145M) and Global Payments (130M). What makes this breach particularly egregious is the fact that MySpace was storing this data with very weak encryption (SHA1) and no “salting” (an encryption technique to add complexity and randomness to each stored password), resulting in a massive password source for hackers and identity thieves.
What this means for you:
Numerically speaking, the odds are at least one of your passwords (present or past) has been compromised and is likely to be found in either LeakedSource’s or Have I Been Pwned’s databases, both of whom offer a simple lookup tool to check to see if your password or passwords have been exposed in any of the numerous breaches that have occurred over the past few years. Depending on how diligent you have been in keeping unique passwords or at least changing them, if a search turns up positive on either site, and you are still using that same password or a similar one with minor changes, you should go out and change it immediately. Additionally, if it’s available, you should be using 2-factor authentication to secure any important online accounts, especially email. Lastly, stop using the same password everywhere. It’s only a matter of time before that will come back to haunt you!
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
In an extremely unusual occurrence, the operators/handlers of the infamous TeslaCrypt ransomware have announced they are discontinuing operations of their highly lucrative malware campaign for undisclosed reasons. Analysts speculate it could be anything from growing law enforcement attention, redirection of resources on even more virulent malware, to the unlikely scenario that the operators have made enough money and are feeling generous. Whatever the case may be, researchers from security company ESET contacted the “retiring” operators and asked them if they would publish TeslaCrypt’s master key, and to everyone’s astonishment, they obliged. Armed with this critical piece of data, ESET and others have built apps that have the capability of decrypting data that is being held captive by any number of TeslaCrypt variants dating back as far as early 2015.
What this means for you:
For one of my clients, a distant hope for this exact scenario finally paid off. Their data has been trapped in encryption for over a year, and as they didn’t have a viable backup at the time of the infection, they walked away from nearly a decade of data that was locked away even after paying the ransom. After our initial attempts to recover the data with what seemed to be a fake key, we put the data aside in the hopes that the master key would someday be recovered, possibly through law enforcement activities. Fast forward to this past weekend: after several hours of number crunching with tools provided by the brilliant folks at BleepingComputer.com and the master key secured by ESET, I was able to successfully decrypt nearly 200,000 files in what appears to be a full recovery of the “kidnapped” data.
If you happen to be among the unfortunate few who fall into this same ransomed data, backup-bereft category, your long-odds gamble may actually pay off like it did for my client. Counting on events like this unfolding for other variants of malware is still highly irrational. Last time I checked, there were still large portions of the world beset by malicious and criminal behavior, and it may never be revealed why the TeslaCrypt operators released the master key. Even if some hackers discovered compassion for their fellow humans and gave up their black-hat ways, there are ten others ready to take their place. Cybercrime continues to be a huge moneymaker for the criminal element. For this reason alone, you should continue to reinforce your technology defenses with a strong firewall, competent anti-malware and reliable offsite backups.
Image courtesy of renjith krishnanat FreeDigitalPhotos.net
In case you are new here, let me catch you up on the primary purpose of this blog. My objective is to scare you into being more secure with technology. It doesn’t always work – one person’s phobia is another’s fetish, but this one ought to give you pause. A white hat security hacker has uncovered a bug in Symantec Antivirus that would allow for an almost trivial exploitation of its scanning engine to actually compromise the computer its supposed to be protecting. And this bug exists across all three major operating systems – Windows, OSX and Linux – something that is very rare in any type of software. Not worried yet? A victim doesn’t even need to open an infected file because Symantec will do it for them when it scans the file in your email, or scans a link in your web browser. Just touching a file designed to exploit this bug will cause a memory buffer overflow, which is tech-speak for “OK malware, I’m puckering up so you can plant a big haymaker right in my kisser.”
What this means for you:
If you don’t use Symantec or Norton products for malware protection, carry on and enjoy that feeling of schadenfreude most technology users rarely experience. If you do use either of those products, Symantec has already patched this bug, and if your software is set to update automatically, it should no longer be a problem. There in lies the rub: do you know if your antivirus is up to date? How many of you have been ignoring the little warning flags your AV has been waving at you from the corner of your screen, “Hey, I need to update but I can’t for some reason!” Do you know how to make sure your antivirus is updating regularly? By the way, “regularly” means daily, if not multiple times a day. Zero-day exploits are sometimes seen within hours of an vulnerability being published. Security companies like Symantec stake their reputation on reacting quickly, but they can only lead your computer to the update river. You need to make sure it’s drinking deep, daily. Not a software update wrangler by trade? Well it just so happens I know someone who is, pardner.
You wouldn’t let your business be run by amateurs, why would you leave your technology to anyone less that an experienced professional?
As the adage goes, “All good things must come to and end.” Microsoft has announced that as of July 29, 2016, it will no longer offer the free Windows 10 upgrade to Win7 and 8 users. Now whether this offer qualified as “good” is a matter of debate for some folks, especially the ones that have been nagged to the edge of patience to upgrade, or the ones that finally relented, only to discover that despite Microsoft’s assurances that their computer was readyfor the switch, it was very much not. For those of you still dutifully ignoring Microsoft’s system tray app “Get Windows 10” (aka GWX), your ordeal will be over before the summer is done.
What this means for you:
If you’ve been holding out upgrading, but still plan to take the plunge, you’ll have to make a decision very shortly. Though it’s likely Microsoft will have some sort of upgrade offer to carry on the Windows 10 crusade, it may not be as generous as the one expiring in a few short months. My recommendation hasn’t changed in this regard: your computer needs to be a late model computer (2 years old, max!) with at least 4GB of RAM and at least 500GB of hard drive space, running a 64-bit OS before you should even consider upgrading. On top of this, your OS must be in tip-top shape, meaning no recent malware infections, major software crashes or undiagnosed performance issues – these things will wreck a Windows 10 upgrade without exception. Additionally, you need to make sure any critical software on that computer is Windows 10 compatible and supportable. The latter is key – lots of software will run on Windows 10, but the manufacturer may not provide any support, and even if you have pros like C2 in your corner, there’s only so much we can do without official support. Look before you leap, but start looking now!
For those of us old enough to remember the cartoon, I’m willing to bet that at least a few of us are still holding out hope for a Jetson’s future, complete with personal jetpacks, flying cars and fully automated homes. We’re getting closer on the car and jetpack thing, but it seems we have some way to go on the home automation, despite it being around in some form for decades now. Samsung’s SmartThings platform has been around for a few years now and the continuing permeation of mobile devices across all aspects of our daily lives has led to some amazingly convenient but woefully insecure home automation systems. Researchers at University of Michigan have demonstrated several security vulnerabilities in internet-connected door locks, fire alarms and lighting systems to name a few. At the moment, using the Internet of Things to upgrade your home may actually downgrade your security.
What this means for you:
Despite the technology being available for several years, most Americans have only just begun to discover a small glimmer of a Jetson-esque future. This is due to a combination of factors that include price, complexity and a (justifiable) lack of trust in remote control devices to secure their most prized (and pricey) investments. Even Silicon Valley darling Nest (now owned by Alphabet née Google) suffered multiple PR setbacks via highly-publicized bugs, failed hardware and canceled products. As such, these products and others like Samsung’s SmartThings are only just starting to realize enough critical mass in the market to capture the attention of security researchers. For now, the University of Michigan researchers are cautioning against using the SmartThings platform wherever security is a paramount concern. I don’t know about you, but as far as this homeowner and business-owner is concerned, my house and office can stay dumb for the moment. I already have problems with phones that are too smart for their own good.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
In the early days of the internet, building a server dedicated to providing email for your company was a sign that you understood the significant role it played (or would play) in your company’s success. Even small companies spent countless thousands of dollars investing in these complex technology beasts, primarily because it was either that, or use consumer services like CompuServe, HotMail or AOL which just couldn’t meet the growing security and legal needs of most companies. Fast forward to today and I’m still seeing SMB companies insisting on running their own servers for reasons that have since become a liability to their own business.
Things you should consider if you are still running your own email server:
- Do you think your email server is more secure than the ones run by Google, Microsoft or any technology company who’s entire business model is built around providing that service? Unless you are in the business of providing email services, you should focus your efforts and money on your core business.
- How reliable is your technology infrastructure? What happens when your internet goes down? What about the power in your building? Most clients I know have at least one planned power outage a year and probably several unplanned ones, on top of the occassional internet circuit failure. One client was recently down for over a week during the Verizon-Frontier fiasco. Could you survive without email for that long? Could your company?
- How much money have you spent supporting an email server that provides service for a small staff? Have you calculated the cost per user per month? Is it less than $5? If not, you are not “beating the market”. And even if you are, how long do you think that will last? Did you factor in spam and malware filtering licensing costs?
- After having the same mailbox and server for years, has your mailbox grown to an enormous size and now you are running out of space and have no real means to do anything about it? Is your mail backed up? Can you even reasonably search through that much email and not have constant problems?
- Have changes in your industry required you provide security like encryption or compliance filtering? Suddenly you are faced with the prospect of needing to not only purchase new software, but also having to update your technology infrastructure just to be compatible with the new software.
If any of these five points hit close to home, you should definitely be considering the move to a hosted email provider. The market has stabilized to the point of being able to provide enterprise-grade email services on an SMB-sized budget, leveling a playfield that used to favor deep pockets and dedicated IT staff. It’s time to retire the in-house email server and invest in the future of your business instead of a dead-end technology strategy.
During it’s heyday, Apple’s QuickTime software was arguably hailed as the king of digital video. Though there were many competitors (remember Real video?) Apple’s codec reigned supreme in both editing as well as playback for many years, making Apple’s Mac computers the defacto standard in high-end digital video editing. Not unwisely, Apple realized the untapped market potential on the Windows side of the fence, and released a version of QuickTime for Windows 3.1 in 1996, and has steadily iterated on the platform through last year, though its use has declined steadily since the rise of streaming web video. Apparently usage has fallen off so dramatically that Apple recently announced it was no longer supporting the Windows version of QuickTime, hot on the heels of the announcement by US-CERT that the latest version of QuickTime for Windows had two significant zero-day vulnerabilities.
What this means for you:
Because I know you, I won’t bore you with the how the zero-days work, just know they are serious enough for the Department of Homeland Security to issue an alert. It’s not likely you will have Apple’s QuickTime software installed on your late-model business computer, but if you own an older computer at home (5-6 years old), and you’ve installed iTunes on that computer you probably have QuickTime is installed as it was bundled into iTunes as recently as 2011. If you happen to be in the relatively narrow demographic of digital video editor using Windows and Adobe’s Creative Cloud suite, you might also have QuickTime installed as it’s a requirement for certain video editing formats.
Either way, if you have it installed, remove QuickTime immediately. Apple has no plans to patch the vulnerabilities, and even though there are no known exploits in the wild as I write this, you can bet the high profile exposure has already triggered a wave of malicious programming. The easiest way to determine if QuickTime is installed is to go to Control Panel -> Programs & Features -> Uninstall Programs and scan through the list for “QuickTime” (not Apple QuickTime, like you might think). On older OSes you might have to look in Control Panel -> Add/Remove Programs. While you are there, you can look for other old programs you don’t use anymore and remove them in the spirit of spring cleaning.
There is no question that the cost of technology has decreased dramatically over the years, especially if the average return on investment is taken into account. However we at C2 have always taken the stance that bargain technology isn’t always a bargain for a variety of reasons. As famously said by astronaut Alan Shephard, “It’s a very sobering feeling to be up in space and realize that one’s safety factor was determined by the lowest bidder on a government contract.” Likewise, would you trust your business and security to something that was the cheapest on the market? Well, what about virtual things, Chris? Those aren’t the same as a charger you plug into your phone, or a tablet you use to check your email, right? Thanks to the expansion of top level domain names like “.top”, “.date” and “.xyz”, market competition has driven domain registration prices into the basement for the lesser known (and commercially used) TLDs, going for as cheap as $0.88 per domain. Security thinktank Talos has done the math and their research into cheap domain names bears out our philosophy: cost does correlate to quality and risk.
What this means for you:
In a nutshell, the Talos blog tells us what real estate agents already knew long ago: “Location, location, location.” In this case, because of how readily available and cheap certain top level domains have become, the security analysts behind this blog article figured there would be a correlation between cheap TLDs and malware distribution sites, i.e. cybercriminals would take advantage of the cheap domains for their attack and payload sites. As anyone with a lick of business sense knows, lowered costs equals increased profits, and as has been amply demonstrated by the large amounts of money at stake in cyberfraud, the folks behind the rising tide of profitable malware are no dummies. All this to say, just because a domain name is cheap and available does not make it a good buy, especially if the TLD is associated with pursuits irrelevant or at odds with your brand. As an (absurd) example, would it make sense for an accounting firm to register a “.party” domain? Unless they were looking to make a radical change in their market direction, this isn’t going make sense, regardless of how inexpensive it was. For the new TLDs it will be awhile before a new normal is established (if it ever will be). Their currently cheap prices are lowering the rent in that area, and its not a neighborhood you want to settle into, at least for the moment.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Looking back over the past few weeks I realize I’ve fallen down on my job of terrifying you with news of the latest technology boogeyman. There’s a new ransomware in town and this one gets down to business in a hurry. Dubbed Petya by security company F-Secure, this vicious piece of malware works in a similar fashion to its brethren by encrypting data and holding it for ransom, with a twist: instead of encrypting just your documents, it will “kidnap” the entire disk by encrypting the master file table, and it can do so very quickly because the MFT is just the “index” of all the files on your drive. If you were to think of your drive as a book, this is the equivalent of putting a lock on the cover and holding the key for ransom.
What this means for you:
At minimum, any virus infection is going to result in a bad day even if you have a full backup of your important data. Before your data can be restored, you need to be certain the malware hasn’t spread to other machines and is waiting to pounce the moment you get the data restored. With previous versions of ransomware, the attack would leave affected machines more or less operational as the malware only encrypted documents and usually left applications and the operating system intact. Not so with Petya which locks out the entire disk. If this malware were to attack a server, it could paralyze an entire company within seconds. If you though recovering and cleaning up a workstation took a long time, double or triple the time needed to bring a server back online, and that’s only if you had full-disk backups and not just files. A malware attack is inevitable – no amount of money, time or paranoia can provide 100% protection. Your only hope for a recovery is proper data backups managed by an experienced professional. Are you ready to test your backup plan?
Image courtesy of Zdiviv at FreeDigitalPhotos.net