In a disturbing trend that bodes ill for everyone, multiple US healthcare institutions have been victimized this past month by highly effective ransomware attacks. In each instance, the malware infection has significantly disrupted operations and, in some cases, forced administrators to actually pay out thousands of dollars in ransoms to regain control of their data and IT systems. In the case of the Hollywood Presbyterian attack, the hackers initially demanded $3.6 million in bitcoin to release the data and systems their malware had encrypted, but settled for $17k. More hospitals in California, Kentucky and Maryland have also been hit and crippled by ransomware attacks, in some cases paying the ransom to regain control of their IT systems, and in other cases recovering systems and data through established data backup platforms and security protocols. And just to keep things interesting, toy-maker Mattel was also defrauded out of $3 million after falling victim to a carefully-planned an well-executed email scheme.
What this means for you:
Though some of the hospital attacks mentioned above are thought to have come from a documented server exploit known to exist in healthcare software platforms, analysts are reporting a surge in emails carrying viral payloads including new, highly-effective variants of ransomware, probably because of the highly-publicized ransom payment made by Hollywood Presbyterian. The harsh reality of this worrying trend is this: it costs criminals virtually nothing to start malware campaigns that are resulting in hundreds of millions in damages to organizations around the world, and it’s netting those same criminals an equivalent amount of money paid by desparate victims. Despite spending millions on security, businesses and individuals around the world still fall victim to this ploy because of the humble email. Previously I had written about ways to spot fake emails (and you can still spot them if you look hard enough), but given how many emails we receive, and how clever attackers are becoming, it’s only a matter of time before any of us get duped and it’s already too late after that second mouse-click. Or is it? Though the ransomware attacks managed to disrupt operations at the hospitals mentioned above, several of them were able to get back to work once the infections were cleaned out and data restored from backups. The temporary disruptions caused by the compromised systems were kept to a minimum, as was the damage to the wallet, by a tested (and now proven) disaster response and recovery/backup plan. How long could your business afford to be disrupted by a ransomware attack? Could your business survive the loss of critical data? What about the reputation damage resulting from disclosing the attack to customers? If you thought a backup platform was expensive, consider the alternative. In the case of Hollywood Presbyterian, $17k was just the down payment on a huge hit to the wallet.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
In case I haven’t scared you enough about the technology innovations that make our lives easier at the cost of security, here’s another worry to add to the growing pile. Automobile security researchers (a growing subset in the security industry) in Germany have published their findings on using wireless amplification technology to trick certain makes and models of cars into thinking their owner is nearby, unlocking the doors and in some cases, starting the engine for the hacker, all while the actual proximity key fob is supposedly safe and secure in the owner’s pocket, purse or home. Though this method has been known for at least several years, this most recent publication noted that the technology is much cheaper to build, and the number of cars vulnerable to this hack has grown significantly.
What this means for you:
If you are the proud owner of one of these cars, you may want to consider keeping your key fob in the freezer:
- Audi A3, A4 and A6
- BMW’s 730d
- Citroen’s DS4 CrossBack
- Ford’s Galaxy and Eco-Sport
- Honda’s HR-V
- Hyundai’s Santa Fe CRDi
- KIA’s Optima
- Lexus’s RX 450h
- Mazda’s CX-5
- MINI’s Clubman
- Mitsubishi’s Outlander
- Nissan’s Qashqai and Leaf
- Opel’s Ampera
- Range Rover’s Evoque
- Renault’s Traffic
- Ssangyong’s Tivoli XDi
- Subaru’s Levorg
- Toyota’s RAV4
- Volkswagen’s Golf GTD and Touran 5T
At the moment, this is the list of confirmed vulnerable models. The researchers allege that many other makes and models that use similar technology could very likely be vulnerable to this exploit as well. If your car unlocks automatically based upon your proximity to the car, then it may be possible to exploit this convenient bit of technology. And there is even anecdotal evidence to support that this hack is already being used “in the wild” to burgle cars. Basically, would-be thieves work with a pair of devices – one near your car, and the other near your key fob. The devices work in tandem to amplify the signal put out by the key fob to trick the car into thinking the fob is in unlock range, and happily opens up for the thief. In the above mentioned case, the unlucky victim ended up storing his fob in the freezer to protect against this hack, but I’m sure most of you keep your keys right near the front door – easily within range of someone with this device. Perhaps it’s time to start storing the keys next to the milk? Call us if you have any concerns – we’re not car experts but we can always help you become more secure.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
Though they “warned” everyone that they were making a change to the way the Windows 10 upgrade was being offered to Windows 7 and 8 users, it was still distressing to discover exactly what Microsoft meant when it said it was making the Windows 10 upgrade a “recommended update“. Instead of an increasingly annoying pop-up “upgrade now” message, many of my clients woke up last week to a brand-new Windows 10 upgrade that they did not approve, nor initiate. Prior to that, only a small handful of my clients had experienced the spontaneous Windows 10 upgrade since it launched last year, and one even experienced the full combo: upgrade and then rollback, neither initiated by him. It was like some sort of social experiment gone awry. If you happened to be the surprise owner of a Windows 10 computer, you are not alone: thousands of reports are rolling in of unwanted, unapproved upgrades.
What this means for you:
If you fall into the camp of as-of-yet unvictimized Windows 7 and 8 users, you need to do the following immediately if you want to avoid your very own Windows 10 surprise party:
Easy-mode: Call us at 818-584-6021 and we’ll take care of it for you.
DIY-mode (view a step-by-step video here):
- Go to the Windows Update control panel and disable (uncheck) “Give me recommended updates the same way I receive important updates”.
- Download and install GWX Control Panel from Ultimate Outsider, or if you are worried about visiting a strange site, you can download it from the C2 Datto Drive .
- Click the following buttons in GWX Control Panel: “Click to disable Get Windows 10 App”, “Click to Prevent Windows 10 Upgrades”, “Click to Disable Non-critical Windows 10 Settings”.
- If you never plan to upgrade to Windows 10 and the buttons are available, you can also use these buttons, “Click to Delete Windows 10 Programs”, “Click to Delete Windows 10 Download Folders”.
- If you’d like the control panel to watch for more upgrade attempts, you can also use “Click to Enable Monitor Mode” which will run in the background and warn you when Microsoft tries to upgrade your computer again.
For the record, Windows 10 is a perfectly serviceable OS and is, in many ways, an improvement over Windows 7 and 8. However, an unplanned upgrade can cause a loss in productivity while you learn your way about the new OS which is the best case scenario. A worst case scenario could result in loss of data, incompatible applications and severe performance issues. Don’t let Microsoft dictate how you use your computer. If you want to upgrade to Windows 10, plan for it and make sure you have experts on hand to ensure long term success.
The cloud icon has been used to symbolize a larger, connected network in technology diagrams for at least 30 years, so it’s not hard to imagine how the concept has migrated to its modern context: a collection of inter-connected computing and storage resources that can be shared amongst multiple services that can scale up and down as needed. If you are of a generation that recalls mainframes, mini-computers and batch runs (today’s PC is actually a “micro-computer” in the vernacular of the mainframe age), it’s a similar concept, except that instead of a single, gigantic device, the mainframe is now an array of CPU’s, storage devices and network interfaces spread across multiple locations and interconnected by the internet. If your understanding is still amorphous, you have creeping semantics to blame for that as well – the term “cloud” has become synonymous for internet-based resources, which can lead to plenty of confusion and debate about privacy, resilience and security.
Clear skies or storm warning ahead?
Just as being able to tell the difference between thunderheads and fluffy cumulonimbus can help us make decisions about grabbing the umbrella or sunglasses, understanding what is “cloud-based” or “hosted” or “virtualized” (or all three) can help you make informed decisions about what services and resources you utilize for your organization’s technology needs. As “cloud-based” has become something of a marketing hobby-horse that is frequently used out of context, it may be very hard to understand how the “cloud” comes into play in any given offering, if at all. If the “cloud” is mentioned to denote omnipresent resources or availability, it may be worth investigating whether this claim has any substance. Is the company or service in question making use of Amazon’s Web Services or Microsoft’s Azure platform? Those are examples of true cloud-computing platforms – very large endeavors and companies use services like these to power their own services and apps. Is your website or email “in the cloud” or is it “hosted”? For casual conversation, it doesn’t really matter (what matters is you don’t have a server on premise to manage anymore!), but it may be important make that distinction when it comes to evaluating your own organization’s technology security and resilience, especially if you are required to maintain compliance with industry regulations or federal laws.
Image courtesy of Vichaya Kiatying-Angsulee at FreeDigitalPhotos.net
In the latest dramatic chapter of the ongoing encryption battle between the FBI and Apple, the feds have admitted that they worsened their chances of ever finding out the contents of the San Bernardino shooter’s iPhone when they reset its associated iCloud password in a misguided attempt to access the locked device. According to Apple, prior to that reset, the FBI may have been able to gain access to the device without Apple having to provide a controversial backdoor to its otherwise very secure smartphones. On top of the FBI’s blunder and lack of understanding of Apple’s iPhone security, it’s also clear that several members of the House Judiciary Committee leading the hearings on this controversy are also poorly versed in how smartphone security works. To be fair to everyone, Apple’s iCloud system is arcane even to me, so it’s easy to see how someone unfamiliar with the system could make this mistake.
What this means for you:
Making fun of government officials being ignorant about high tech subjects is like shooting fish in a barrel. The “series of tubes” analogy used by Senator Ted Stevens is just one of many examples of US lawmakers struggling to understand admittedly complex technologies like the internet and encryption. Back then (10 years ago!) it might have been acceptable to dismiss their technology naivety as understandable – after all they are congress people, not IT consultants. But now, in an increasingly technology-permeated society, their ignorance or willful disregard of technology can lead to very bad decisions that have widespread and long-lasting consequences. This is just as applicable to your personal and workplace tech. While it’s impossible to be an expert on everything, if you rely on technology for critical business operations, you should have more than a basic understanding of how to turn it on and off. At minimum you should know what risks come with that technology, and if you cannot claim to be an expert in the technology in question, you should always consult with an experienced technology professional before making game-changing decisions.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Apple made a big splash last week when CEO Tim Cook published an open letter in response to the FBI’s request and subsequent court order to hack the iPhone of the primary assailant in December 2015’s San Bernadino mass shooting. As one might expect, Mr. Cook basically told the government that they would not comply, and fortunately, they might be the one company that could afford to fight this battle in the courts. Though the tech industry has typically maintained a similar stance on device encryption, even the most staunch champions of digital privacy such as Google and Twitter have had suprisingly muted responses to the growing battle. Also revealing is a recent Pew poll that suggests while the tech industry may be largely united on device encryption and government backdoors, the American public isn’t quite sure what to think about this complex issue.
What this means for you:
Late model iPhones ship with encryption enabled by default, and as long as you enable some form of authentication on your device, the data on that device will only be accessible if you unlock it. Law enforcement can’t break the encryption, and Apple, by it’s own admission, cannot decrypt your phone’s contents with out the proper authentication, even if the phone owner asks them to do so. If someone tries too many times to guess your pin, the device will be automatically wiped – no intervention from Apple or your carrier is required. The FBI is demanding Apple create a way for them to unlock the iPhone of the San Bernadino shooter, which if Apple were to actually accomplish such a feat, could theoretically allow anyone with possession of this backdoor to decrypt any iPhone protected by similar technology. Like the atomic bomb, the development of this backdoor cannot be unmade, nor will it remain only in the hands of the “righteous”. While the data on the SB shooter’s phone may prove useful in providing some closure to the incident and may even help further other domestic terror investigations, it’s easy to see that the FBI means for this case to set a precedent that will give them unfettered access to an area that has traditionally been protected, both by law and by technology.
It’s getting harder and harder to make excuses for Microsoft when it comes to Windows 10, and they are quickly eroding whatever good will they may have sown with the free upgrades offered last year. If you weren’t already traumatized by an intentional or unintentional “upgrade” to 10, or if you happened to be one of the lucky few to walk the upgrade gauntlet (relatively) unscathed, Microsoft seems determined to make you regret installing its new operating system – let’s call it “death by 1000 annoyances.” The latest insult: many users are reporting a recent update to Windows 10 is resetting the default app assignments on their computers to – you guessed it – Microsoft apps.
Whatchoo talkin’ ’bout Woo?
One of the “features” of Windows 10 is the inexorable, unstoppable OS updates that Microsoft forces upon everyone. There are ways to trick Windows 10 into not downloading updates, and if your computer happens to be a part of a managed domain your administrator may be able to exert some control, but Microsoft has gone on record stating that giving users less control over this aspect is really for everyone’s own good. In the above case, a yet-to-be-identified recently released update from Microsoft is actually resetting choices you’ve made to your own computer to a setting that arguably benefits Microsoft. A good example of this is one that several of my clients have already experienced: instead of using Acrobat to open PDF’s, the OS is being reset to use Microsoft’s new browser, Edge – hardly a comparable substitute, especially for those that paid good money for the full versions of Acrobat. The default PDF app setting is one of possibly hundreds of default settings that Microsoft can “accidentally reset” so the annoyance potential on this “feature” is incredibly high. Fortunately it’s not permanent, and once you figure out what the heck is going on, it’s not hard to reverse. But it’s just another thorn on this once attractive, but increasingly prickly, OS rose.
I’ve put enough notches in my cyberbelt to speak with confidence on tech security and I’m reasonably sure most of you take me seriously, but it’s nice when the President of the United States backs up your message about the state of cybersecurity, especially when that message is that our work has only just begun. In a Wall Street Journal Op Ed piece published today, President Obama announced an aggressive plan to improve America’s cybersecurity profile, starting with increasing the nation’s budget on technology security to $19 billion. Three billion of that planned increase is targeted at upgrading Federal computer systems, many of which he recognizes as being woefully past due for an upgrade. And as is always the case, those computer upgrades are going to need tech-savvy hands, hopefully supplied by a tech-focused “Peace Corps” initiative and a new cybersecurity Center of Excellence which will formed as a collaboration point between the government and private sector. Some of this new money will also fund a national security awareness campaign (and you thought my password nagging was bad!). To cap it off, he is also calling for the creation of a bi-partisan Commission on Enhancing National Cybersecurity and creating a new national Chief Information Security Officer.
What this means for you:
In the short run, not much is going to change for you or your organization, even if you happen to work for or with an organization that might be first in line for Federally-funded computer upgrades. Federal programs never move swiftly, and I doubt this one will be any different. In order for any problem to be solved, it must be first acknowledged. Allocating money (however trivial it may seem in the face of our defense spend) is an important step in the right direction. Many business both big and small fail to budget for security issues, sometimes through willful denial, and most often because of a lack of understanding about how important cybersecurity has become. We all know the government regularly gets low grades on their technology proficiency – hopefully money won’t be a part of that problem going forward. The more important lesson here is that while money does help, talent, cooperation and a plan to change are crucial to developing a sound security policy, whether you are the federal government or sole proprietor.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Most of us have seen the persistent little icon in the system tray, and clicked the many variations of “Not now!” to Microsoft’s constant reminders to upgrade to Windows 10. Some of you even caved in and upgraded your computer to Winodws 10, and an even smaller percentage of you have come out on the other side mostly intact and productive. I still continue to recommend against upgrading existing Windows 7 and 8 computers without considerable caution, planning and the watchful supervision of a trained technology professional. “Cleanly” installed (either on a blank hard drive or from the factory new), Windows 10 is a good operating system that performs well but still has many rough edges, and I have seen way too many upgrade installations go south faster than geese in winter. For reliabililty and performance, Windows 7 is still very hard to beat, and is still considered the standard in enterprise/corporate technology. Despite all of this, Microsoft continues to advance its agenda of “Upgrade all the things”, and has now made the Windows 10 upgrade installer a “recommended update”.
What this means for you:
By default, Windows 7 and 8 are set to automatically check for, download and install critical security updates. There is also another option rug “Recommended updates” which is also checked, and that is where Microsoft gets its virtual hooks into your precious Windows 7 (or 8, I’m not here to judge) operating system and plants the seeds of an upgrade. If your machine is still set to download recommended updates (as it will be if you’ve never changed these settings), you will soon be (if you aren’t already) the proud recipient of a 6GB hidden folder that, if you continue to deny Microsoft the satisfaction of upgrading you to Windows 10, will reside happily on its little 6GB plot of hard drive. Forever. Removing it doesn’t help – Windows Update will cheerfully re-download it for you, to make sure your Windows 10 upgrade experience isn’t slowed down by having to download it when you finally give in to their relentless nagging.
If you have a large hard drive and “all-you-can-eat” internet bandwidth, this isn’t a problem, but for those of you with smaller hard drives (like earlier model laptops with SSD drives) or metered bandwidth, 6GB is a lot of space AND bandwidth. There are ways to combat Microsoft’s insidious peer pressure, but to truly banish the upgrade nagging, you’ll need to fiddle with registry settings or install a third-party utility. If neither sounds like an activity for which you are qualified (either in patience or technical proficiency), why not have a friendly chat with your local tech professional to discuss a more moderate, considered approach to upgrading to Windows 10? If you are a business professional that uses Windows-based computers, its a bridge you will have to cross at some point, but you should do it on your own schedule and on your own terms.
Microsoft made a major splash a few years back when they announced that the NFL would be using the Surface tablets on the field and in the locker room for various aspects of team management. Up until now it really only caught the media’s eye briefly when commentators mistakenly identified the Microsoft tablets as Apple iPads, a stinging verdict on the strength of both Microsoft and Apple’s branding. Unfortunately for Microsoft, the Surface tablets were correctly identified this time at the recent AFC Championship game between the New England Patriots and the Denver Broncos. Unfortunate because the Patriots were experiencing technical difficulties with the devices at a crucial moment in the most important game of the season. As you’d expect, the internet had a field day with this, even though the the technical difficulties were quickly overcome, and the Patriots carried on.
What this means for you:
Rather than taking an easy opportunity to poke fun at Microsoft as you might expect, I’m more interested in making sure everyone grasps the more important lesson here. Even though the Surfaces had become an important part of sideline operations during a game, the Patriots were able to keep moving forward with their critical processes because the Surface tablets weren’t a single point of failure in the complex workflow of team and game management. Are there parts of your business or organization that depend on a single point of technology that, if it failed, would prevent you from executing on critical processes or tasks? Always have a back up plan, both in the literal sense (as in: Back up that data!) as well as the figurative. Important presentation tomorrow that you’ve only stored on a single thumb drive and nowhere else? What would happen if that little thumb drive accidentally fell out of your pocket while you were on the way to the big meeting? When it’s game day, make sure you have more than one way to get the ball into the end zone!