In August of this year, one of the world’s largest oil producers, Saudi Aramco, was targeted in a cyberattack that crippled tens of thousands of its computers. Despite the apparent success of the attack and the impact this would have had on the company’s operations, oil production did not falter, and the global economy continued its drunken flirtation with failure instead of rushing into an oil-shortage-fueled orgy of self-destruction. Saudi Aramco has not been forthcoming on the details of the attack, or how they managed to survive it relatively unscathed, but in the eyes of security analysts and even our own Secretary of Defense, Leon Panetta, this attack was “probably the most destructive attack that the private sector has seen to date.”
There are conflicting reports about the motivation behind the attack. The hacktivist group “Cutting Sword of Justice” has claimed responsibility, citing the act as a strike at the House of Saud, the ruling body of Saudi Arabia, refuting claims by security analysts who believe the attack to be a state or government-sponsored reprisal for the Stuxnet attacks that crippled the Iranian Nuclear Program. Intended to cripple oil-dependent economies like the US, government-backed cyberattacks on companies like Saudi Aramco can also gain proprietary geological survey data that could be extremely profitable for other, competing state-sponsored oil companies.
What this means for you:
Information is power, and there are very few companies that don’t store their most valuable data on computers and servers that are somehow connected to a network, if not the internet itself. Even if they had the best security known to man, it’s believed that at least one individual inside Saudi Aramco provided the means for attackers to compromise a company that produces 12% of the world’s oil. You should never rely 100% on technology alone for security – humans will always be more fallible than computers. Additionally, it’s important to provide some level of separation in your core business operations so that if a segment of your business is paralyzed, the entire operation doesn’t grind to a halt because the computers are offline getting repaired.
Kaspersky Labs just released their quarterly threat report for Q3 2012, and it’s dry reading for most folks not fascinated by IT security as I am. There are some notable trends that their research has surfaced, and I thought you might find some of these data points interesting:
- You are least likely to be infected by a fellow countryman in the nation of Denmark. (The US is in the lower first quartile, in case you were wondering.)
- Russia has overtaken the US as having the most websites hosting malware software.
- The most commonly found smartphone virus is designed to steal money from you by texting premium-rate numbers without you noticing.
- The most common way to get a virus infection is via drive-by infections, ie. visiting a dodgy website and getting infected when your browser loads pages that have embedded viruses.
- Of the top 10 most commonly found software vulnerabilities, 2 are found in Oracle software (Java), 5 from Adobe (Flash, Shockwave & Acrobat), 2 from Apple (Quicktime and iTunes), and 1 from Winamp.
- Over half of the detected malware infections came from Java vulnerabilities.
- For the first time in many years, Microsoft did not make the Top 10 list of vulnerabilities!
What this means for you:
Keep your software up to date. The java vulnerabilities have been patched, but many people ignore (or aren’t even aware) that Java needs to be kept up to date just like any other software installed on their machine. Keep your browser up to date, and if you have the choice, use the latest version of IE, or even better, Google’s Chrome browser. However, nothing will keep you safe if you don’t have proper malware protection installed, updated and ACTIVE. If you use an Android phone, see my previous article on the dangers of side-loading questionable apps. As of the moment, buying smartphone anti-virus software isn’t at the same state of “must-have” as computers, but we may be fast approaching that point. If you are careful about the apps you install on your phone, you don’t need it…yet.
According to analyst IDC, Android-based smartphones account for three out of every 4 phones sold worldwide in Q3 2012. As anticipated, this expansion of the market has also prompted a surge in fraudulent apps being developed and installed on phones. Security firm F-Secure reports a 10X increase in the number of distinct malware apps detected in the marketplace, finding over 50k apps this quarter alone. Most of these apps appear to be making their debut on 3rd party apps stores outside of the US looser security standards allow the malware to slip into the marketplace undetected.
What this means for you:
Earlier this year, Google implemented a security review process on its official “Play” store, reducing the number of fraudulent apps significantly. However, unlike the iPhone ecosystem, which locks users into only getting apps through its tightly controlled and reviewed iTunes appstore, Androids can bypass the Google’s official appstore to “sideload” apps on their smartphones via a single checkbox setting that is available in the operating system. Just because you can do something doesn’t mean you should. With the possible exception of Amazon’s App Store, I would not recommend installing apps from any 3rd party app store. Amazon.com led the way in sideloading by announcing their own appstore in early 2011, primarily as a means to avoid paying distribution fees to Google to service their own Android-based Kindle devices. Given that keeping their user base safe is probably of utmost concern, it’s likely that Amazon will be carefully reviewing apps distributed through their ecosystem.
If you insist on sideloading apps from a 3rd party app store, make sure you know what you are doing, review the apps carefully, and when in doubt, do your research before installing that magical app that will do it all, and is also free. It may not cost you any money up front, but the longterm damage to your security and identity may be a cost you can’t afford.
On Friday, the state of South Carolina announced that it had been the victim of a major security breach, and that as many as 3.6 million state residents (nearly 77% of the total state population) may have had their Social Security numbers and other personal identifying data stolen by person or persons unknown. As security firm Mandiant investigates the breach, they further revealed today that as many as 657,000 local businesses may have also be impacted by the data leak. The severity of the breach was exacerbated by the fact that the compromised data was actually being stored unencrypted on state-run servers, despite the fact it contained extremely sensitive tax information going back multiple years.
What this means for you:
Unless you are a resident of South Carolina or your business has filed taxes in that state, this particular event probably won’t impact you directly. However, it does serve to highlight that governments, like many businesses, fail to take security as seriously as they should, often under-spending on security or even ignoring potential threats. If you work with customer data that might be considered sensitive, are you doing enough to make sure that data is kept safe, not only from hackers, but from loss due to physical device theft, and damage from things like wildfires, floods, earthquakes or even a spilled cup of coffee? Most business won’t be able to prevent a determined hacker from penetrating their defenses, but they can make sure that sensitive data is stored properly (or not at all!) to minimize the collateral damage.
Everyone I know that uses an iPhone has told me that Siri is, at best, a fun party trick, and at worst, completely useless. If you were sold on your latest iPhone by the promises Zooey Deschanel or Martin Scorsese failed to deliver, then you may find solace in a competitive offering from Google. Voice search is now embedded in Google’s recently updated and free iOS search app, allowing you to ask natural language questions and (hopefully) receive audible answers powered by Google’s vast databases.
What this means for you:
If you are one of those people who don’t mind addressing their smartphones like they were animate objects, (you know who you are!) then this app is worth a try. Android users with the Jelly Bean operating system on their devices (Nexus users and some specific late-model Android phones) have been enjoying Google’s voice-driven search capabilities for several months, with generally favorable reviews as compared to Apple’s Siri. It’s free – all you have to lose is some time (and possibly your dignity).
Normally, New Jersey and Manhattan datacenters don’t have to worry about floods, but Hurricane Sandy quickly overwhelmed many major providers like Internap and Peer 1 who provide service across the country. While most of their electronics were relatively safe from the torrential rains and high winds, water will – given time and opportunity – get into everything, and thousands of buildings in the area experienced severe flooding in basements and even ground-floor spaces. “Surely they don’t keep their electronics down in the basement!” I can hear you exclaim, and they don’t, but what is down there are generators and fuel pumps for those generators, because that’s where most buildings put their big, noisy mechanical equipment. Power outages don’t stop big datacenters – they’re designed to last for hours, even days without power – but those generators need fuel and air. When they are under 5 feet of water, both are going to be in short supply.
What this means for you:
When doing your disaster preparedness and continuity planning (you do have a DR/BC Plan, right?) you need to assess all vendors that provide services you would consider critical to your core business processes, particularly the ones that service your customers, such as website or application hosts, or even your own employees such as outsourced payroll services. If you are using providers that have weak, or even incomplete DR/BC plans of their own, you may want to change providers, or, at minimum, compartmentalize your own business processes so that your company isn’t completely crippled by a weak point in your service supply chain.
Image courtesy of “winnond” / FreeDigitalPhotos.net
On October 26 of last week, a number of popular, “cloud-based” services suffered multi-hour interruptions. Among the outages was Google’s App Engine, a platform that is used by thousands of other websites and internet platforms including one of my favorites, Passpack.com. Some of your favorites may have been impacted as well: Dropbox, Tumblr and even YouTube were affected. For many, this was a non-event, particularly those who operate and compute within enterprise-based platforms, or rely solely on the desktop and storage of their own computers. C2 Technology relies heavily on cloud-based services, primarily Google products, for our core information systems, and I use Passpack to track the multitude of passwords I need to do my work. So when those outages hit on the 26th, I found myself unable to access the keys to my various digital kingdoms, and felt very much like someone who finds themselves locked out of their car, and at the mercy of another person’s timetable. In this particular case, Passpack.com wasn’t even to blame, as their own reliance on Google’s App Engine service hamstrung their ability to deliver service to their customers, and the fine engineers at Google themselves were struggling with the outage. Everyone’s brand took a hit, and yet there was no one any one of us could blame for the outage – not even a radical hackivist group looking to ruin someone’s day for political currency.
What this means for you:
Very simply, “Never put all your eggs into one basket.” This homily, however pastoral-seeming, still very much applies to how you should use technology, especially when it comes to your core business processes. As an illustration of how this can be bad: I was using Passpack to store my Gmail password, which was complicated and impossible to remember, and instead relying on a complicated, but easier-to-remember passphrase to access Passpack to retrieve that password whenever I needed it. When Passpack went down, so did my ability to access Gmail and all of my client contact information. The lesson to take away from this: if you are going to store critical information online, have a back-up plan for continuing to operate without access to that information. Either back-it up locally (fraught with its own set of risks), or compartmentalize parts of your operations so that they aren’t heavily reliant on a single service provider, or the presence of the internet.
Image courtesy of “vichie81” / FreeDigitalPhotos.net
Just a week after the debut of Windows 8, Microsoft held a press event in San Francisco, CA to announce the arrival of the latest version of its smartphone platform, dubbed Windows Phone 8. Timed to coincide with (and possibly to even eclipse) Google’s canceled East-coast press event, Microsoft instead had to fight for media attention with Hurricane Sandy. As a distant fourth place competitor, Microsoft has struggled to gain a toe hold in the smartphone race, facing daunting leads from Apple and Google, and even trailing the flagging RIM Blackberry platform.
What this means for you:
Unless you are a true-blue Microsoft fanatic, you more than likely already own a smartphone that gets the job done. There is a distinct possibility for Microsoft to overtake RIM’s Blackberry platform as the corporate phone of choice, but many enterprises have already opened their iron curtains for iPhones and Android devices. Gaining RIM’s share of the pie will only put them in 3rd place, and as such, integration into corporate environments will still take a backseat to solidifying usage of the dominant platforms. Most adopters of this platform will either be disatisfied technophiles looking for something fresh and different from iOS and Android, or corporate technologists investigating the platforms ability to integrate with existing Microsoft infrastructure. Microsoft’s primary hurdle in getting people to buy Windows phone remains in the lackluster app development landscape, which continues to be dominated by iPhone. Many of the most popular apps aren’t available yet for Windows Phone 8, and their arrival (if they come at all) will likely lag iOS and Android versions by months. If your primary smartphone usage is focused on making calls, checking email, and sharing pictures with your phone, Windows Phone 8 will get the job done, but if you like apps and don’t consider yourself an “early adopter”, give the platform at least another 6 months before weighing a change in platforms.
As anticipated, Apple announced the much-rumoured iPad Mini in a press conference on Tuesday in San Jose, CA. Measuring 7.9″ diagonally, the new tablet is just slightly larger than Amazon’s Kindle Fire, Google’s Nexus 7 and several other Android-based models that have preceded the Mini by as much as a year. Former CEO Steve Jobs was known for his contempt of the 7″ form-factor, but as Apple’s dominance of the tablet space has eroded over the past year, the Cupertino technology company has decided to field a 7″ horse in the race in an attempt to regain some lost ground. Wall Street, however voted its ambivalence to the move by selling off Apple shares moments after the announcement, dropping shares by as much as $20 in the days trading, citing the Mini as evidence that Apple has lost sight of what people really want, which is less choices, not more. Shareholders may have also been disgruntled by the announcement of a new revision of the latest iPad model featuring the new, compact data connector and a faster processor, “obsoleting” it’s 3rd generation iPad after only 7 months.
What this means for you:
If you’ve held out this long on buying an iPad, it probably wasn’t because it was “too big.” Most folks who did think the 10″ iPad was too big have already bought a 7″ Kindle, Fire or Android-based tablet and are more than likely firmly embedded in that devices ecosystem. Many tech-heavy households are also likely to have an iPad as well, so adding another tablet to the mix is probably not in the cards for the majority of consumers. Corporate buyers who were already reluctant to invest in iPads aren’t any more likely to buy a 7″ version, and instead will be watching the arrival of Microsoft’s Surface tablet very closely, as should you if you’ve not already made your tablet investment. If, somehow, you’ve managed to not buy any sort of tablet device, and find your smartphone is just a bit too small for reading or casual video watching, the iPad Mini may be a gentle gateway into the world of tablet computing. The 7″ form-factor is very portable and bag friendly, and big enough for personal entertainment, especially in crowded places such as planes, buses and the backseats of cars. Keep in mind: if you are used to the weight of the black and white Kindles that Apple’s new Mini is heavier, not only physically, but will also weigh twice as much on your wallet.
Now that the public’s overall awareness of phishing is much greater, getting people to click phony links in an email isn’t as easy as it used to be. However, phishers, now motivated (and possibly funded) by organized criminal elements, are investing more time in actually fooling people, producing very authentic-looking emails intended for audiences with accounts worth compromising, such as the ones that control payroll or bank accounts for small companies. A recent phishing campaign dissected by Webroot details a focused targeting of Intuit’s popular Quickbooks platform. Using a combination of scare tactics, actual Intuit branding and realistic-sounding text, actual Quickbooks users may be lulled into a false sense of security and click through to malware-laden sites which quickly compromise their computers.
What this means for you:
Whenever you receive a request from a known service provider via email, always, ALWAYS! check the integrity of the links they ask you to click, especially if the communication wasn’t expected. How do you check the links in an email? Read my previous post “Ransomware Virus Targets Skype Users” for details on how to check if the links are valid. Even if the email seems to be legitimate, skip clicking the links altogether and go straight the the website in question by typing in the URL yourself, or pick up the phone to call the company. Your computer and financial security are worth a few more minutes and keystrokes!