Hackers are now taking advantage of conscientious users who have been repeatedly warned by folks like myself to keep their software, specifically their browsers, up to date. If a user happens to surf to a website hosting this new style of attack, they will be presented with a realistic-looking warning that asserts their browser is out of date, but if they click the convenient link to update the browser, they instead be infected with a trojan that will forcibly change the browser homepage to a site that will deliver a full payload of malware. If the user is unfortunate enough to have his or her anti-malware software overrun, they will quickly have a severely compromised computer.
What this means for you:
You should only ever download updates for your software from the manufacturer’s website, as it’s extremely unlikely for manufacturers to use third-party hosts for software updates. In the above example, users were directed to download an update from a domain “securebrowserupdate” which is something Microsoft, Google, Mozilla or Apple would never do for their browsers. If you happen across a pop-up warning that an update is available for your browser, and you aren’t sure it’s legitimate, close it, then check your update status through the browser’s built into the interface, usually under the “Help” menu. Still not sure? Why not call an expert like C2?
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Security researcher Bogdan Calin has reportedly devised a new cyberattack method that can compromise certain types of routers merely by a local user opening an email on their iPhone, iPod or Mac. This new vector takes advantage of two common security weaknesses: the default mail client settings on Apple devices that loads remote images automatically, as well as default or weak admin passwords on consumer-grade routers that are often found in residences and small businesses. In a nutshell, the attack works by taking advantage of your router’s ability to be managed via web-browser by opening dozens of hidden pages with login and setting changes, each firing off in turn until one of them affects the change.
All of this happens in the blink of an eye, and because the changes don’t have to be destructive immediately, the user would not know they had just compromised their own network. These settings could include changing your DNS settings to servers that a hacker controls, allowing them to misdirect anyone on that network to sites that can further hijack computers. For example, typing “Google.com” would no longer take you to the actual Google website, but could instead send you to a counterfeit site that, for all intents and purposes, looks very similar to Google’s own site, and from there, could lure unsuspecting users into further compromising decisions.
What this means for you:
As of now, this particular attack only works on specific types of routers, and relies on the fact that many people have never set their router password to something other than the default it shipped with from the factory. Despite Mr. Calin’s warning, Apple is not planning to address the settings exploit, and has instead suggested that users can turn off the automatic loading of remote images in emails (the default setting in Android mail clients) if they wish additional security, but with the downside that all images, legitimate or not, would be prevented from loading. The simplest solution, of course, is to set your router password to something other than the default, and preferably one that is hard to guess or brute-force.
Image courtesy of Victor Habbick / FreeDigitalPhotos.net
A recent study by security firm NSS Labs shows that Google’s Chrome browser still has the best detection rate (94%) for spotting phishing URLs, and on average, new malware sites are reported and blocked by all browsers within 5 hours of discovery, a significant improvement over the 16+ hours that same process would have taken in 2009. Firefox showed the best response time to reporting and blocking new sites at 2.3 hours – more than twice as quick as IE10.
What this means for you:
All of the major browsers have significantly improved their ability to protect users, to the point that there is very little statistical difference in their security capabilities. Many of my clients still ask me if one is better than the other, and the answer is always, “It depends on what you need the browser to do.” I still use Chrome for most of my work, but there are still enough times when I’m working with online apps that only work with Internet Explorer. The most important factor to consider is making sure whatever browser you do use is kept up to date, and that you practice safe and cautious surfing whenever working with unfamiliar websites.
In a follow-up to the much-publicized security breach that exposed sensitive data on millions of South Carolina residents, the governor’s office has released the official report on the incident, as researched by security firm Mandiant. The origin of the attack was traced to an unnamed state employee clicking on a phising email, leading to the immediate compromising of that employee’s network credentials. From there, the hackers were able gain access to 44 different government systems and 74GB of uncompressed taxpayer data and encryption keys. More importantly, it was revealed that the millions of Social Security numbers stolen in this attack were being stored unencrypted, primarily because the current Internal Revenue Service standards do not require encryption of any kind.
What this means for you:
It’s a running joke that governments are typically way behind the times when it comes to operational efficiency, which was fine in the days of mimeographs, fax machines and microfiche, but it’s no longer a laughing matter in the age of the Internet. The fact that the IRS still isn’t requiring states to encrypt your critical data is an open invitation to cybercriminals everywhere, as well as every amateur hacker looking for a quick payday and street cred. On top of this, the fact that government agencies like South Carolina’s Revenue Department are relying on outdated and unsafe standards that even sophomore technology professionals would recognize as being insufficient is appalling and reprehensible, mea culpa notwithstanding.
Despite the egregious lack of security, the breach in question happened because an employee open the door. You may be well-informed and security conscious, but are your employees properly trained to spot and avoid phishing emails? Are they engaging in insecure behavior, either out of ignorance or willful disregard of company policy? If you handle sensitive personal information during the course of normal business, are they aware of the federal regulations regarding the handling and disposing of that information?
The new tradition of Black Friday (and Cyber Monday) shopping online has not only caught on with bargain hunters hoping to avoid crowds and early-morning lineups, it has also caught the eye of the digital criminal element as well, who will be counting on naive (and not so naive) shoppers clicking on links to dodgy sites that instead of delivering amazing deals, will end up costing unwary shoppers hunters more than they bargained for.
It is believed that various cybercriminals will attempt to lure victims into clicking links promising deals too good to pass up, either delivered via email, or posted on the various bargain/coupon code websites that are scattered across the internet. Once you click a link to a site that is handing out malware instead of savings, your machine is likely to get infected with one of the hundreds of variants of malware, all with the express intent of, wreaking havoc on your holiday weekend (and beyond), extoring money out of you via ransomware demands, or worse still, lying dormant and undetected on your computer until you start typing in sensitive information, like the password to your banking website and email account. Once that happens, you are only clicks away from identity theft and probable financial damage.
What this means for you:
Common sense and caution are your best defenses, but you should also observe the following:
- Have updated and working antivirus software from a well-known manufacturer.
- Only click links to websites that you recognize – make sure the link you are clicking isn’t being spoofed.
- Can’t confirm a website, or not familiar with the source? Google the domain name – the real domain name, to see if virus/hoax reports have been associated with that domain.
- If the deal sounds too good to be true – it probably is. Call the store to confirm the deal if in doubt. Talk to a human.
- Still can’t confirm? Proceed with extreme caution at your own risk. Is the deal really worth the risk of your security being compromised?
Image courtesy of “digitalart” / FreeDigitalPhotos.net
If you’ve held off buying a Surface tablet in the hopes that the new device would settle in and get its legs after a less-than-stellar showing at launch, you have probably been disappointed to find that instead of capturing the hearts and minds of the public (or the media), the Surface continues to struggle for identity in the shadow of the iPad and, to a lesser degree, Google’s Nexus tablets. Zach Epstein at BGR.com had one of the more favorable launch reviews of the tablet, and 30 days later, he updates his stance: he’s still thumbs way up on the hardware, but finds that Microsoft’s innovative hardware is limited by Windows RT, the tablet-only version of Windows 8, and its still-thin selection of apps.
What this means for you:
Mobile warriors looking to get work done via tablet alone (that aren’t already doing it via the iPad or Nexus) may still find themselves hamstrung by the limitations of the Windows RT and the lack-luster selection of apps. Even if you spend most of your time in Microsoft Office, performance of Outlook RT is still poor, and if there’s one thing people won’t suffer, its a slow email client.
Look carefully at the applications you need to exist as a tablet-capable version before chucking your laptop for any tablet (not just the Surface), and even if it does exist, make sure it meets your needs before investing. Die-hard tablet enthusiasts will be able to surmount most of the limitations of Windows RT just by virtue of their innate patience and willingness to “hack” around problems, but if you are someone who’s patience is tried even by the ultra-polished iPad, don’t even think about a Surface at least until the Windows 8 Pro versions arrive in early 2013.
If you didn’t get your fill of scares this past Halloween, sit down and read this article about password security from Matt Honan, the Wired Magazine writer who’s digital life was destroyed this past summer in minutes by teenage hackers. If you only read one article this year, you should read this one, but in case you don’t (or can’t or won’t), I’ll try to sum up the most important parts of the article:
- We are sacrificing privacy and security for convenience.
- Passwords (even long, hard to guess ones) are no longer viable.
- The technology industry hasn’t been able to come up with a better solution to this problem.
What this means for you:
Again, if there is one article you should read this year, especially as you gear up to get your online shopping done this upcoming Black Friday, it’s this one! You’ve heard me give you all the precautions and practices you should be following to better secure your online information, but Matt explains in easy-to-understand, non-technical terms why folks like me are growing increasingly concerned – and in some cases frightened. We, as a civilization, have hit a critical point in our history, and if we don’t make some careful choices and some necessary changes to how we use computers, we are heading down a road of security ruin that could impact anyone that uses technology as a critical part of their lives.
Until better solutions to the password problem arrive, there are some things you can do:
- Don’t use the same login and password for multiple sites.
- If it’s available, use 2-factor authentication to secure accounts, especially email.
- Don’t use easy to guess passwords. Use really hard ones for your most important accounts.
- Use a separate, hard-to-guess email account for password resets that is separate from your main email account. Gmail is great for this, as it offers two-factor authentication.
- For password hint questions, eg. “What is your mother’s maiden name?” use incorrect answers that aren’t easily found on the web, and only you would know.
Read the article for even more tips on how to make yourself harder to hack.
In yet another instance of high-profile data loss, the National Aeronautics and Space Administration (NASA) has announced that a laptop containing unencrypted, sensitive data was stolen. Ahead of a final determination of the extent of the data exposure, NASA has warned its 300,000 employees and contractors to be extra cautious and that they may be at risk for identity theft.
As a result of this theft and previous data exposure incidents, the organization has established a new policy that all laptops will be encrypted from this point forward, and until the encrpytion can be enforced, all laptops with sensitive data can no longer be removed from NASA facilities.
What this means for you:
The NASA laptop in question was password protected, but you may not be aware that gaining access to data on a password-protected laptop is trivial when you have the actual device in your physical control. Though it does add overhead to overall performance of laptops, encrpyted data partitions or even full-drive encryption is the only way to truly safeguard data on mobile devices, and a compromise that savvy organizations are willing to make in order to allow their knowledge workers the mobility required in today’s technology environment. If you or your knowledge workers work with sensitive data, whether it be employee records or client data, you should review your organization’s privacy and security policies to ensure you are properly protecting yourself from a damaging security breach and data loss.
In what is being the called the largest migration to cloud services so far, the Department of Veteran Affairs has just inked a deal with Microsoft and HP Enterprise Services to move its 600k users to Microsoft’s cloudbased office productivity suite Office 365. The move is seen by many as further evidence of a significant shift in corporate IT strategy away from costly infrastructure investments to cloud services for every aspect of technology. Over the past 10 years, enterprise IT departments have been gradually, but inexorably moving application platforms out of their own datacenters to providers like Oracle and SAP, but hesitated when it came to the garden-variety desktop applications that knowledge workers use daily. That reluctance may be disintegrating as services from Google and Microsoft make it hard to dismiss the tremendous efficiencies and savings that can be realized by getting rid of the real estate and overhead needed to maintain desktop-based applications.
What this means for you:
Many of you work in the cloud daily without giving it a thought. Perhaps you never thought of Gmail or Hotmail or Yahoo Mail as a productivity app, but what about Salesforce, or LinkedIn, or even Facebook? Both Google and Microsoft’s cloud-based office apps are full-featured and powerful enough for everyday business tasks, and the very nature of their delivery makes deployment, security and maintenance much simpler that software installed on desktops. It’s this same strength that also proves to be a weakness, as if you lose your internet connection, you also lose your ability to work. Well that’s easy to solve, I can hear you say. Why not just move to another location where the internet is working? What if it’s the cloud itself that is unavailable? Once again, the cardinal rule compartmentalization comes into play – never base the entirety of your critical business operations in the hands of a single, monolithic platform, even if that platform is largely reliable. And this goes doubly so for a platform around whose neck you can’t comfortably get your hands, as is the case with a provider like Microsoft or Google.
Apparently, even the (former) head of the CIA can fall victim to a security breach. General David Petraeus recently handed in his resignation as the leader of the US’s Central Intelligence Agency when his extra-marital affair surfaced through an investigation led by the CIA’s own sister agency, the Federal Bureau of Investigation. What’s interesting is that the FBI didn’t use exotic technology or Hollywood-esque espionage to gain access to Petraeus’ “anonymous” email account – in the end, it boiled down to a simple, lawful, court-order through the Electronic Communications Privacy Act. Once the FBI had covert access, they were easily able to track the account usage and trace it to the General himself.
What this means for you:
What undid Petraeus – aside from lack of integrity and fidelity – wasn’t his extremely clever usage of Gmail. Once again, the subterfuge was ruined by a person – in this case, by his own mistress, Paula Broadwell, who sent threatening emails to Petraeus family friend, Jill Kelley who then got the FBI on the case. In the course of any criminal investigation, the ECPA grants the government authority to access any electronic communication without a warrant if it’s under 180 days old, and if it’s older than 180 days, then all that is needed is a court order. Even if you think you’ve set up an anonymous email account, all email travels through the internet by virtue of metadata attached to the digital envelope that is impossible to hide. Think of it as a digital postmark. And because all data must come from somewhere and go somewhere, IP addresses (and logs) make it possible to pinpoint those locations with ruthless precision. The next time you send an email that you need to be completely confidential, think carefully about the implications of it appearing on the front page of every news website in the world. Obviously, the government doesn’t have the time (or the justification) to watch everyone in America, but they certainly have the means, and will to use it, even if it undermines one of their own sacred cows.
Image courtesy of renjith krishnan / FreeDigitalPhotos.net