Despite the imminent arrival of Windows 10, thousands of businesses and organizations around the world continue to cling to Windows XP. In the business world, this position is increasingly dangerous to a company’s bottom line for a variety of reasons, but for the world’s most (arguably) powerful navy, it could be downright dangerous. The US Navy is actually paying Microsoft nearly $10M to continue to support and patch the expired OS, which was officially “put out to pasture” over a year ago. With over 100K Windows XP computers powering critical systems, the Navy still has a tremendous undertaking to phase the (un)dead OS out of daily operations.
What this means for you:
In a broader sense, it’s disheartening (and a little frightening) to think that our shores are being defended by warships powered by a 14-year old operating system, but the government, like our aircraft carriers, have never been capable of quick maneuvering, so this should come as little surprise to anyone. The fact that many businesses still heavily rely on XP despite repeated warnings from just about everyone in the industry is indicative of a larger problem, which is partly the industry’s fault, as well as a certain willful blindness we all share.
From an IT perspective, we’ve historically done a poor job preparing everyone for the security issues we now face, perhaps relying too heavily on tools and fixes, instead of emphasizing education and reforming business thinking. From an individual (and probably first-world) perspective, we’ve allowed ourselves to become increasingly reliant on technology to accomplish even the most basic tasks, and have built complex technological systems that support our daily lives that most of us can barely comprehend, let alone troubleshoot. A simple password hack can turn into a life-altering identity theft only because most of us fail to truly understand how everything is intertwined, and our personal veils of security are only as strong as the weakest password in your entire collection. The same can be said of your technology infrastructure: you are only as strong as the lowliest of forgotten XP machines on your network, and that isn’t very strong at all, regardless of how much you pay Microsoft.
Password storage utility LastPass reported earlier this week that they discovered suspicious activity on their servers and as a result, some of their users’ data has probably been compromised: account emails, password reminders and some of the decryption hashes and salts. According to LastPass, user password vaults were not compromised, nor does it appear that any user accounts were accessed. As a precautionary measure, LastPass has turned on a secondary email authentication confirmations for all LastPass logins from new IP addresses, and they are recommending enabling multifactor authentication – a good security practice for any sensitive account (like your email).
What this means for you:
LastPass uses a very strong encryption method to secure your data, and it would take some significant computing resources to crack their encryption from a brute-force perspective. However, if your LastPass master password was easily guessable, in theory they could use the stolen hash and salt to confirm that password, and attempt to gain access to your LastPass account. In short: change your LastPass master password, and if you used that password anywhere else, change it there as well.
Security analysts recently demonstrated a significant weakness in Samsung smartphones that could potentially impact up to 600 million people. The vulnerability lies in their modified version of the Swiftkey app, which is Samsung’s onscreen keyboard. This vulnerability impacts the the Samsung Galaxy S6 on Verizon and Sprint networks, the Galaxy S5 on T-Mobile, and the Galaxy S4 Mini on AT&T. The developers of SwiftKey were quick to confirm that the version available for download on Google Play was not affected by this vulnerability, and supposedly Samsung has provided a fix to carriers, but there is no confirmation from any of the carriers as to whether they’ve distributed this fix, or have any plans to do so.
What this means for you:
This vulnerability could potentially allow an attacker to completely “own” your device – from the camera to microphone, incoming and outgoing texts and emails, as well as installing further malicious applications. There is no way to uninstall this app unless you root your phone (only recommended for the technically savvy, and you might void your warranty), and even if you switch to a different keyboard app, the vulnerability still exists. Until the carriers can confirm that they’ve patched this vulnerability you should avoid using public wi-fi networks, and if you are feeling sufficiently outraged, you can contact your carrier and demand they issue this patch immediately.
As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
Last week, over 4 million people had their PII (Personal Identifying Information) exposed. Suggestive humor aside, this is still scandalous as this breach came by way of the Office of Personnel Management (OPM – the government’s HR department), an agency supposedly being protected under the watchful eye of the Department of Homeland Security’s (DHS) $4.5B National Cybersecurity and Protection System (NCPS), aka “Eienstein”. I’m sure that the real Einstein would be horrified to know that his good name was being sullied by a multi-billion dollar boondoggle. Adding insult to injury, the PII exposed wasn’t your “run of the mill” variety either – OPM databases housed information on security clearance investigations which also contains information on family, neighbors and close associates of any government employee who went through that process – meaning a lot more than “just” 4 million people were affected. Not quite disturbed enough yet? The OPM data infrastructure was housed in a “shared data center” which provided services to many more government agencies, all of whom could have been breached as well. US government officials have made noises that the Chinese are to blame, and of course, China called those allegations “irresponsible” and “baseless”.
What this means for you:
What this event demonstrates is that stupid amounts of money can’t buy security if you are always playing catch-up. DHS’s Einstein is only able of detecting attacks that have been seen before – it’s basically a monstrously expensive filter that looks for “signatures” that are based on – that’s right – previous attacks. Once the hack gets past the gate and they are able to “own” the system by using legitimate credentials (either stolen or created through their initial hack), the attackers can transact business through normal protocols and transactions, making detection extremely difficult. It’s the equivalent of looking for a needle on a conveyor belt full of hay – and you don’t know even know what the needle looks like, other than “not hay”. It seems that we will need a real Einstein to develop a system that can detect attacks that have never been seen before.
I can hear you say, “If the government can’t secure themselves with $4.5B, how am I supposed to do it with my modest means?” Well, if a nation-state is targeting your organization, probably no amount of money you could reasonably spend is going to protect you. Fortunately, nation-states and advanced persistent threat (APT) groups usually have bigger fish to fry. The “garden-variety” malware you and your employees will encounter can be stopped by a combination of up-to-date antimalware software, a good firewall, and training. In the case of our government, technology advances are hampered by an alphabet-soup of bureaucracy and glacial culture adoption, something attackers count on. Don’t let red tape slow down your organization on this issue – security should be at the top of your list and a budget priority, no matter your industry or size.
Despite how dependent we all have become on it, the Internet still remains a mystery to most folks. There’s a good reason for it – it is complicated and for most, it’s not their job, nor their interest, to have a comprehensive grasp of how data gets from point A to point B. But just like other things we usually take for granted – water, electricity, our cars – when it stops working, we really notice and chafe at any delays to restore normal service. In the case of a water or car problem (most of us are smart enough to not mess with electricity or natural gas!), we’ll try to roll up our sleeves, pop the hood and grab a wrench, but calling a professional is probably the safest and most effective way to get things working again. This is also the case with internet service, but believe it or not, there are some things you can do to troubleshoot and possible restore service, as long as you understand the basics of how the internet is delivered and connected to your location.
Let me break it down for you. Don’t worry, I’ll keep it simple.
First off, you have to have an Internet Service Provider (ISP). It’s important to know who this is, what your account number is, and what the Customer Support number is for that service. You should have this info printed out and easy to find, because, guess what? When the internet is down, it might be hard to look up that info.
Your ISP will deliver internet through a number of different physical types of circuits. The most common are fiber, coax (commonly known as “cable”), and twisted-pair copper. This last one can take various forms, many of which you should be familiar – T1’s, DSL and Ethernet over Copper (EoC) – are all delivered via simple copper wire. This physical circuit will be “terminated” (ie. plugged into your location) in an Minimum Point of Entry (MPOE) or a Demarcation Point (DMARC) which, depending on the type of building, can be a basement, phone closet, a box on the side of your house, or a cable drilled right through the wall into your living room. If you own the property in question, it’s important to know where your internet comes into your property.
That circuit, whatever its type, will actually plug/screw into some sort of device, most commonly referred to as a modem or a data services unit (DSU), but there are several other types and names for this piece of equipment. Essentially, they all have one function: connect the ISP to your property.
From the modem or DSU, your circuit is connected to a router. The router is where the magic happens, and is the most important device on your network, from both an internet as well as a local network perspective. Sometimes, depending on the service, the modem/DSU and router are combined into a single device. This form is often found in small offices and residential installs of coax service (from someone like Time Warner, Comcast, Spectrum, etc.), and is often just called a cable modem or simply a router.
Here’s where things get tricky: depending on your service agreement with your ISP, the router may be managed by them, or it may be your own equipment, and both situations can be found in any size business environment. It’s a safe bet that if your company is big enough to have full-time IT staff, your company probably owns and manages its own router. Either way, make sure you know who’s responsible for the router before touching it.
The internet gets conveyed to your devices through two different means: via wire (usually through an Ethernet cable) or via wi-fi. Wired ethernet is delivered via devices called switches (often incorrectly called hubs, which are no longer used), and Wi-fi through access points. In both cases, that internet is delivered to a network interface on your device, which can take the form of an ethernet jack or an antennae. To make things even more confusing, it’s very common to find routers that are also switches and access points, but which may also connect to additional switches and access points, depending on how large your local network is and how your office is designed.
Made it this far and ready to try your hand at network troubleshooting?
When troubleshooting the most basic problem of internet service, ie. it’s not working, there are a few simple questions to ask that can point you to the possible source of the problem:
- Is everyone at that location unable to access the internet? If no, it might be a problem with one of the main devices like the modem/DSU or the router. Check those devices first. If they appear to be operating normally (no flashing yellow or red lights), then call your ISP to make sure service is not down in your area or location. They may or may not instruct you to cycle power on these devices, so make sure you call from a phone that can reach where those devices are connected.
- Wi-fi service is not working properly? If your wi-fi is delivered by separate access point, cycling power may resolve this issue. In larger office environments, this may not be possible as these devices are typically mounted out of reach, and may be physically protected from tampering. In those cases, contact the responsible support person. If your router handles the wi-fi, you may need to reboot the router to restore normal service. In most cases, cycling power on these devices will not harm them nor make them lose their settings, but make sure you know who’s responsible for managing the device before rebooting it.
- Single or small-cluster of wired devices down? Look for a problem with either the ethernet cable (snugly plugged in on both ends? no exposed wires or busted tabs on the cable ends?) or a local switch. Many small offices use switches to distribute network in cubicle and multi-occupant spaces. Look for green/amber lights on both switches and network interfaces. No lights usually means the network signal isn’t getting through for some reason.
- Lastly, did you reboot the device in question? Frequently, if the problem is isolated to a single machine (computer, printer, mobile device), rebooting may solve the problem, especially if it’s wi-fi related.
Tried all of the above and still stumped? Call in a professional!
As if the mad rush to “web-ify” everything wasn’t bad enough, McAfee’s security blog now brings us a new, shining moment in Internet history: it is now possible to visit an easy-to-use website to host your own ransomware campaign for the low, low price of free. A group of cybercriminals have put together a service that will provide you with the malware that locks up your victim’s files, as well as the means to collect the ransom via bitcoin through their consolidated platform. The service even includes a dashboard that summarizes your criminal activity: number of computers infected, number of people who paid the ransom, and how much you’ve made so far. It all sounds like something the Onion.com would dream up, but sadly, it’s real. Would-be cyber-extortionists have to pay 20% of their take to the service owners, which could amount to some serious cash. Over the course of the past few years, experts estimated that tens of millions have been made on previous ransomware campaigns. Like any good money-making model, these enterprising individuals hope to amass a fortune on the backs of aspiring cybercriminals.
What this means for you:
As I’ve said in previous blogs, cybercrime is big business now. Though McAfee’s bright light of publicity may help shut down this particular iteration of mass-market ransomware services, you can bet dozens more will follow suit, if they aren’t already up, running, and better hidden. The internet has the ability to magnify anyone’s capabilities by an incredible degree, even more so when someone with savvy and no scruples turns their sights onto the vast, largely naive internet populace. The pitch for this particular service is that “anyone” can set up their own ransomware campaign, and you can bet they’ll do a booming business until the good guys shut them down. On a more reassuring note, this particular platform only provides the means to start and run a ransomware campaign. It would still be up to the would-be extortionists to actually target and distribute the malware to their victims, a task which is surprisingly hard to do in a way that won’t get you caught. However, is it so hard to imagine someone else setting up shop right next door to the ransomware folks, where, for a “small percentage of the take” they would provide those targets? Imagine if these enterprising criminals decided to form pyramid schemes on top of these “business models”. I imagine once attaining that level of vicious cannibalism, the whole thing might collapsed in on itself under the weight of sheer backstabbing and profiteering, but in the meantime, we might drown in a crushing wave of malware. Sadly, there’s no magic bullet, but there are three things you can do to better protect yourself against the coming storm: a good firewall on your perimeter, solid anti-malware on your computer, and an up-to-date offsite backup of your data. Those things plus constant vigilance (and a little paranoia!) will go a long way towards staying safer in these more dangerous times.
A little over two years ago, I wrote about a hacker who was able to demonstrate hacking and takeover of an airplane’s flight control system, and suggested that it may be awhile before someone was able to execute this same type of hack “in the wild.” Unfortunately for everyone, it’s happened sooner than we might hope: notorious hacker Chris Roberts of One World Labs has claimed that he managed to penetrate an airplane’s flight control system while it was in flight and was able to temporarily alter the plane’s trajectory by overriding controls on a wing engine, forcing the plane to fly sideways for an short period. After joking via Twitter about his hacking activities on an April flight, Roberts was detained by the FBI and his equipment seized. According to affadavits published of the FBI interviews with Roberts, it appears as if the FBI believes Roberts is in fact capable of hacking planes while in flight.
What this means for you:
I’m actually quite surprised this hasn’t happened sooner, and with much more horrifying results. On the scale of expertise on technology security, I consider myself to be only moderately well-trained and informed, but it doesn’t take a expert to comprehend why this is going to be an increasingly dangerous problem. Because all security systems are essentially designed by humans, they will inherently be flawed. Hackers count on this weakness and are able to exploit it over and over again. In the case of the above alleged hacking incidents (yes, there was more than one), Roberts exploited a hardware weakness – he was able to physically connect his equipment to the plane by cracking the inflight entertainment box under his seat – and a software weakness – he used default passwords to circumvent the security of the plane’s control systems. In both cases he would have been foiled if the people who designed and implemented the systems had taken more care in their work. According to Roberts, his actions are meant to goad the industry into taking security more seriously, and maybe now that the FBI seems be backing his claims, something might get done.
Overall, security is an uphill battle, and requires more energy, money and expertise than most companies can field at any given time. Like insurance, many folks have a hard time spending money to secure against something that might happen. In this case, like the other inevitabilities we insure against, accepting the fact that you will be hacked (even if you already have been) at some point in the near future, will help you frame your investments in security in a more realistic and practical perspective, and doing something proactive will often put you ahead of your competition. Embattled industries like airlines should definitely keep this in mind.
For those of us that spend a good part of the day stuck in SoCal traffic, Google’s self-driving car offers a tiny glimpse of future salvation. We’re a long way off from streets filled with autonomous autos, but Google’s cars have driven 1.7 million miles so far, have only been in 11 accidents, and apparently humans were at fault in all cases. This really shouldn’t come as a surprise to anyone with any measure of self-awareness and experience with today’s technology. After all, technology provides us with a means to amplify our own innate abilities and allows us to achieve objectives that might be beyond our unassisted reach. It also grants us the ability to fail faster and sometimes in a spectacular way.
What this means for you:
My newer clients are frequently surprised to hear me say, “Sometimes, less technology is better.” It sounds like a butcher preaching a vegan life-style to his customers. The main reason I say this is not because I’m a Luddite (far from it!) but that I often come across instances where someone has become temporarily blinded by what I call the “Shiny Factor” and has adopted or implemented a technology that complicates rather than simplifies their original intent.
A prime example of this are clients that purchase software or even new computers to deal with an increasing volume of email, when the simpler (but not necessarily easier) solution would be to reduce the volume of email. Purchasing expensive firewalls won’t prevent infections caused by poorly-trained employees. Faster, more powerful computers won’t fix broken process automation or buggy software, nor will a faster internet connection necessarily result in more productive workers. It’s a dangerous, slippery slope, and can become self-perpetuating spiral of expense, frustration and complexity. As the old adage goes, the cure may end up being worse than the disease.
Are we doomed? Only if we continue to ignore that technology is created to serve us, and not the other way around. Technology is not meant to replace humans, but to amplify us. It’s up to us to make sure that the good is amplified and the bad minimized wherever possible, and sometimes to solve problems or get work done the old fashioned way – with a little elbow grease, human ingenuity, and common sense.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Over the past 2 years, I’ve seen the rate of malware attacks climbing at an accelerated rate. This is due largely in part to the evolution of malware as a lucrative crime combined with sophisticated, easy-to-use platforms that are designed for and marketed to non-technical users. Previously, successful viruses and their code were jealously guarded and the purview of an elite “cadre” of hackers who would advertise their creations as badges of honor. Now these same cadre of malware programmers are racing to bring product to a highly competitive market. Malware is a business, and business is good.
What this means for you:
It’s not just an assumption that you will be targeted by malware. It’s most likely a fact. Malware makes its handlers money by casting the widest net possible, which means everyone is a target, and the attack platform that can prey on the most victims wins. With that in mind, the safest mindset to adopt is that your technology will be or already is under attack, and you must gird yourself for the onslaught. Here are 3 ways to prepare, plus one less-obvious way that may or may not be practical for most organizations:
- Install a good firewall on your network periphery. Though most ISP-provided routers come with some basic firewall functionality, your business or organization should be protected by a professionally managed firewall that can provide what’s known variously as “Unified Threat Management” or “Gateway-based Defense”. In a nutshell, these devices sit on the entry point of your organization’s internet connection and monitor all data going in and out, scanning for malware, hacking attempts, objectionable content and spam. This is your first line of defense, and if maintained properly, can protect you from numerous threats 24/7/365.
- Use effective malware protection on your vulnerable technology. Even assuming you have some sort of protection on your network periphery, there’s still plenty of ways for malware to get inside your network, and once they are “inside the gate”, your computer or server’s only protection from a really bad day is the anti-malware you’ve installed locally. This software should have some form of active protection (always-on scanning, port blocking, etc.) and not something that has to be run in order to detect or cleanup a malware incursion. If malware isn’t detected and handled the moment it approaches your computer, it’s too late.
- Back up your data. Sad as this fact is, no anti-malware is 100% effective. Your machine will get infected and at that point, the only way you don’t lose this battle is if your data is backed up and isolated from infection. This means offsite backups, with at least 7 days of historical versions just in case the backup software unknowingly backed up infected files (which it can and will do if you don’t catch it quickly enough).
- Disconnect from the internet. If the above 3 items are beyond the reach of your organization for either budgetary or technical reasons, this rather drastic alternative is very effective. Even though it may be impractical for most companies, approaching this problem from this perspective may lead to some creative changes in operations and employee behavior. As a simple example: block access to social media sites on work computers, but provide separate, isolated wifi for mobile devices that allows them to scratch that itch on their own devices.
Image courtesy of graur razvan ionut at FreeDigitalPhotos.net