Despite their best efforts, SolarWinds isn’t going to be able to slip back into obscurity anytime soon. Up until late last year, most regular folks wouldn’t have any idea who SolarWinds was, let alone what they did. But when one of the world’s largest outsource IT providers gets hacked, leading to the compromise of approximately 100 very large companies and NINE federal agencies including the National Nuclear Security Administration, you aren’t going saunter casually out of sight after such a massive gaffe. You might try a little misdirection by throwing an underling under the bus, but all that is doing is making things worse, regardless of whether it’s true or not.

True leaders know where the buck stops

As the SolarWinds “saga” started to slowly unfold for us in December and January in all of its terrible glory, one of the minor “subplots” that was revealed involved a comically weak password that was used to secure a SolarWinds server. If you ever want to bring a rain of derision and reproach from the technology community, use a password like “solarwinds123” as part of your infrastructure while providing IT to the agency that manages our nuclear arsenal. And if you want to double-down on your foolishness, blame an intern for it.

It’s entirely possible that an intern might actually be at fault; all of us were young and “wet behind the ears” at some point in our careers, and let’s face it, there are a ton of people out there who might think that this is at least an OK password. But let me tell you something: every single SolarWinds technician, engineer, senior engineer and up that typed in that password KNEW it was a bad password and didn’t bother changing it. Everyone reading this article knows this is a bad password, and if you’ve been a reader for any amount of time, you’ve known this for years. It’s reasonable to assume that a fresh-faced intern with no IT experience may have chosen such a password, but it should have never survived the moment any SolarWinds employee had to use it even once. Regardless of who made the initial mistake, allowing it to continue being used is absolutely leadership’s fault – all the way to the CEO. Bad passwords have consequences, but excusing and ignoring them is even worse.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Not even three months into Apple’s release of new computers powered by the Apple M1 processor, researchers have discovered at least two malware platforms that seems to have been specifically written to target Apple’s new CPU. One of the new apps, “GoSearch22” is actually a recompiled version of a known adware app called “Pirrit”. The new M1 variant has already been decertified by Apple, meaning that it will be blocked from running in the OS if your Mac is current on updates. The other malware app, dubbed “Silver Sparrow” appears to be brand new and is showing up on at least 30K Macs both M1 and Intel-powered machines, but at the moment, researchers aren’t quite sure what it’s intended to do.

What this means for you

For the majority of Windows users this is not relevant and you can carry on worrying about the myriad other security concerns that the platform is infamous for, but if you happen to use Apple computers for your daily work, take note. At the moment, Silver Sparrow isn’t doing anything except existing and looking very suspicious. It may never be deployed – think of it as a sleeper agent whose cover has been blown. The fact that it exists and a version of it written explicitly for Apple’s new M1 CPU means that cybercriminals are leaving no stone unturned in their pursuit of exploiting every internet connected device. Where before Apple users could work knowing that because of their relatively small market share they were unprofitable targets for malware developers and as a result slightly more secure than their Windows brethren, this is clearly no longer the case. OS X is definitely being targeted by mature, sophisticated adversaries. While security through obscurity was never a good enough reason to not run malware protection on OS X, it’s definitely been invalidated by the sudden and widespread appearance of Silver Sparrow. Make sure you are running up to date and effective malware on your Mac, old or new. If you don’t know what to install, contact us for advice or a managed solution.

Last week the sleepy Florida town of Oldsmar made headlines as its municipal water utility was targeted in a cyberattack. The attack resulted in the unauthorized access of a computer that controlled the chemical treatment of the city’s potable water supply, and the attackers actually managed to adjust a setting that could have poisoned the water for 15k people. Fortunately, the computer was actually being monitored by an employee who was able to safely reverse the settings change and alert authorities. Aside from the ominous implications evoked by cyberattacks on critical infrastructure like water supplies, this specific attack garnered additional attention because of Oldsmar’s proximity to the stadium hosting this year’s Super Bowl and the fact that it happened 2 days before the actual game.

What this means for you

What many of you might not realize, even though we’ve written about it before, is that our nation’s utility infrastructure is protected by technology that is outdated, underpowered and poorly managed. And it has been under constant attack since at least 2013 and most likely even before then. That being said, it appears the Oldsmar attack was not perpetrated through a series of exotic, Hollywood-esque tactics, but rather by exploiting a forgotten install of remote management software TeamViewer that was using a shared password set for the entire company. On top of this, the computer was connected directly to the internet with no firewall in place. While this lack of security isn’t uncommon in small organizations around the world, the fact that this is happening at companies that control vital services like drinking water should be fairly alarming to you. According to utility officials, there are plenty of other safeguards in place that would have prevented the actual poisoning from actually occurring, but one has to wonder whether or not an audit might be in order? If they installed a bit of software in a fashion that allowed it to be exploited with almost no effort and then forgot about it, what else might they have installed poorly and then forgotten?

When working with people who are actively attempting to correct or remediate behaviors that were previously unproductive or destructive it’s important to provide encouragement and feedback on the positive changes. Common sense would dictate that any progress is better than none at all, and it serves no one to berate someone for shortcomings they are actively working to improve. But corporations aren’t people, and social media mega-corporations like Facebook have such a significant impact on the world that they should given no quarter when it comes to criticism. I understand that they are a for-profit company and have no other master to serve, and if they just openly stated that everything they do serves that master, I wouldn’t bother taking them to task. But what they say and what they do are two different things.

Facebook – Hold Them Accountable

In February 2019, a full year before the start of the pandemic in the U.S., California Representative Adam Schiff asked Facebook point-blank why they were allowing misinformation about vaccines to spread on their platform knowing full well that this type of activity would be a danger to the public, and is a direct violation of their own terms of use.

On April 16, 2020, over a year after the “friendly warning” from Congressman Schiff, and months after the pandemic had already spread around the globe, Facebook finally acknowledges that their platform is being used to spread misinformation and promises to engage “fact-checking” and warning labels to inform users of possible misleading information.

In May 2020, they pat themselves on the back for putting warning labeling 50 million (!) pieces of content. “Warning labels”, like the ones on packages of cigarettes that clearly keep people from smoking them.

Fast forward to Feb 8 2021, over 2.3 million Covid-related deaths later, and Facebook is finally getting around to straight-up removing misinformation from its platform. How many deaths could have been avoided if they hadn’t allowed rampant misinformation, fear and hate to spread on Facebook? Don’t get me wrong, never at any point since the day I first heard of Facebook did I suspect them of possessing any shred of altruism or compassion. The initial concept of Facebook sprung from a crude looks-based popularity contest (Hot or Not), and it still remains in part, like most of social media, a popularity contest. If any company in the world had the resources and the brain power to be ethical and compassionate and profitable, Facebook should have this advantage in spades, and yet they have been content to let the market rule until it’s more convenient (read: a shift in political power) for them to behave otherwise.

Don’t make the mistake of thinking Facebook (or any for-profit company) is motivated by ethics or altruism until they demonstrate it at the cost of profit. While I am not foolish enough to believe that all the death and heartache caused by Covid-19 was due to the purposeful spread of misinformation on Facebook, if even one death is attributable to this, isn’t that one death too many? Is it too much to ask the biggest, wealthiest company in the world to be more responsible, more ethical? I don’t think so, and I hope more people will continue ask this same question and demand answers.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

While the past year has been no picnic for anyone except the handful of billionaires profiting from the pandemic, it’s at least given some of us opportunities for improvement and enlightenment that we may not have otherwise pursued given the usual daily routine. Some of you have whiled away your free time catching up on shows, learning languages, or taking up new hobbies, some have even completely remodeled bathrooms, kitchens and garages. Almost every single work-from-home professional has had to become an IT technician whether they wanted to or not, but despite that, many of you still don’t know some things you absolutely should know.

Don’t be afraid or ashamed to ask!

As I’ve said before, I don’t expect everyone to become IT professionals, even after 11 months of working from home with shoestring budgets and Macguyvered technology. Once we get in front of Covid-19 I am anticipating many organizations will seriously reconsider returning to the traditional office environment if they haven’t already marched straight ahead into a virtual workplace future without looking back. In order for that future to work for a business, their WFH employees need be as efficient and productive as before. If you are one of those salivating at the prospect of working from home for the foreseeable future, you need to make sure your tech game is on point with these essential tid-bits:

Who is your internet provider? Not only should you know who it is, you should have their tech support number as a favorite on your smartphone. You should know your account number and what you are paying for, and what you can expect for customer service. Seriously consider paying more for a “Business-class” account if you have a residential account – the quality and speed of the internet won’t (necessarily) be different, but the speed at which they respond to service calls is much better.

Where is your internet router? You should know where it is in the house, what it looks like, and how to turn it on and off. You should know what the lights on it mean, or at least have a quick reference handy to interpret the lights. If you live in a single-family residence, you should know where the service lines come into your home. If you set up your own router or mesh wifi system, you should have the brand and model handy, and if you needed to use a phone app to set them up, what that app is called. If someone else set up the devices for you, have them write down this information for you, especially if they aren’t a member of your household.

How does your work computer get internet? Ethernet wire or WIFI? More importantly, can it do both? Most folks rely heavily on WIFI, not realizing that “hard line” networking is way more reliable and in some cases, dead simple to set up. Not every household can take advantage of an Ethernet connection, but if you have any opportunity to do so, do it.

Know your home workstation. You should know the brand and model, and where all the critical control points are on the computer: power, network and peripheral connections. You should also understand what any visual indicators might be telling you – power and hard drive activity lights, network indicators, etc. If you have additional peripherals like monitors, printers, keyboards and mice, you should know how they are connected and how to replace consumables like toner, ink or batteries.

Know your software. If the machine you are using at home is your own and not managed by your employer, you should absolutely know the following: What operating system and version you are running. Whether or not you have antivirus installed and working (you should). What program or platform are you using to back up your data. You should also have critical passwords recorded in a safe (preferably digital) place that you can get to even if your main computer is inoperable.

Image by Lorenzo Cafaro from Pixabay

If you’ve used a computer – Windows or Mac – in the past 20 or so years, you’ve probably used a handy product called Malwarebytes. Once consider a scrappy bit of software us techs could whip out during the early days of malware infections, Malwarebytes has since “leveled-up” into a very successful security platform that still offers a useful, free version of its malware scanner. Unfortunately, their visibility in the market makes them a big target as well, and they just revealed that they have been compromised by the same hacking group that gutted SolarWinds.

What this means for you

According to Malwarebytes, unlike SolarWinds their products were not compromised but their email was hacked in the same manner. Even so, email is the lifeblood of any organization, so this is still a blow to their brand and to their internal morale. In their defense, the group responsible for the hack is credited with possibly one of the most devastating cyberattacks in history and it’s pretty evident we are only just starting to discover the breadth of their campaign which is conservatively estimated to include thousands of companies. These types of wounds (and scars) are earned on the front-lines of a war most of us don’t see, and it is at once disconcerting and strangely comforting that even the largest, best prepared organizations still fall victim to cyberattacks. This should not discourage you from making every effort to stay safe. If anything this should serve as a stark reminder that there are powerful forces aligned against ethical, honest people who are just trying to get some work done, and as such always allocate a healthy amount of resources and respect for security and backup for your technology infrastructure.

Much of what I learned from my father about being handy around the house was from watching him work, and then, once I was old enough to be more useful than distracting, from actually doing the work while under his careful supervision. His style of instruction was typically hands-off and non-verbal, letting me experience the tools and work for myself, but he spared no words when it came to warning me about the dangers of the various tools (powered or not) with which we worked. His hands were covered with various scars that did not require more than one terse explanation, and my grandfather was missing parts of two fingers from a woodworking accident that served as a silent and regular reminder of a life lesson I carry with me to this day: Tools are dangerous regardless of your familiarity with them – always treat them with respect and understand their proper use and application.

Ignorance and injury go hand in hand

The attack last week on the nation’s capitol by extremist thugs will no doubt grace numerous textbooks and will provide plenty of lessons for everyone, but there was a particular behavior exhibited by many of the invaders that has provided plenty of amusement for the rest of nation and illustrates my point perfectly. While I’m sure many of the people participating in the violence last week thought they were justified and not committing crimes, documenting your “activities” via social media demonstrates a clear lack of understanding of what that act actually achieves. Not only did they visually document numerous criminal activities that directly or indirectly led to the deaths of 5 individuals, they pinpointed themselves at the scene of the crime via GPS on their “smart” phones. This same crowd used the conservative social media platform “Parler” to organize this attack, to foment additional hate, and then documented it with thousands of posts, pictures and movies, all of which was scraped by a hacktivist and made available to the public and, presumably, numerous law enforcement agencies. I’m sure there were plenty of law abiding citizens engaged in reasonable discourse on Parler – one of the most common arguments offered by conservative politicians on the dismantling of your privacy is, “If you’ve done nothing wrong, you have nothing to fear.” Over 50 terabytes of data is a lot to sort through, but you can be sure that plenty of self-incrimination will be found within.

In addition to the lessons taught by my father and grandfather, I learned plenty of times the painful lesson that even tools you know well can “bite” if you are careless or try to use them in unintended ways. While poetic justice is rare and should be celebrated when it is encountered, Parler’s unintentional incrimination of some of it’s hate-filled user base should also pose a sober lesson for everyone. It’s clear that social media (and the internet) was meant to bring the world closer to together but it has, at the same time, driven a dangerous wedge into society. Ignorance, misinformation and hate spread just as quick as knowledge and compassion on the internet, and we just got bit by the sharp edge of this tool.

Later on in life, once I was old enough to appreciate it, my father told me that it was a constant struggle to not snatch tools from my hands if it looked like I might hurt myself. He knew I had to learn the hard way, but not necessarily at the cost of a finger or worse. Unfortunately, my dad isn’t around snatch this tool out of our careless hands, and it’s clear Twitter and Facebook’s “dads” aren’t keeping a watchful eye either. By allowing hate and lies to ferment online, social media usage played a direct role in creating one of the darkest days of American history and led to the loss of 5 lives. Seeing as this tool can’t be put down and another used, we must learn how to use it properly, safely and for constructive purpose.

Image by Peggy und Marco Lachmann-Anke from Pixabay

I’m sure many of you celebrated the passing of last year with no small amount of relief, and if you were one of the 190M people in the US who purportedly resolved to improve themselves this year, I’m going to bet at least some of you put “Get better at technology” on that list. While I heartily commend and support this goal, you should also know that the majority of us fail in New Year’s resolutions because we didn’t keep them specific, achievable and completable. A clock ticking over from “0” to “1” doesn’t make one year better than the previous, but one would think, “Surely, technology will be better in 2021.” Normally that would be a safe bet, but even my normally boundless enthusiasm for technology has been tempered by some trends I’ve watched develop in 2020. Regardless, getting better at (a specific) technology is worth pursuing, but you should also know that if it feels like an uphill battle, it’s because it will likely be just that. Here’s why:

You aren’t imagining things: technology overall is not getting any easier. One of the ongoing promises of technology is that it is supposed to be making our day-to-day lives easier. There’s no question that we are capable of more and we have access to things that weren’t even dreamed of 20 years ago, but for critical technology devices and services that are considered on the same essential tier as things like plumbing, automobiles, and central heating, they are still stubbornly complex, hard to troubleshoot, and well outside the understanding of any reasonably intelligent human. To be fair, most of us probably couldn’t install a sink or fix a car, but these technologies are largely standardized and have changed relatively little as compared to things like smartphones and computers. Even something that was dead simple for decades – the television – has become incomprehensible for many. For each thing that we simplify, two others seem to get more complex, and they seem to do so in service to two things: more security, and/or more functionality. Your takeaway from this observation: don’t feel like you are getting dumber. You aren’t – technology is changing faster than most of us can learn, and the constant level of change means that the knowledge we manage to gain quickly grows stale or obsolete. It’s exhausting, even for the experts.

If there is one thing that technology has failed to simplify – it’s security. As a matter of fact, in many ways technology has actually made staying safe that much harder. In decades past, if you did not want your data online, you avoided going online. Identity theft was elaborate and rare. Most of us had our credit cards stolen maybe once every 4-5 years, not 4-5 times a year. Our financial (and sometimes physical) security is regularly jeopardized by the negligence and carelessness of a megacorporation over which we have zero control, except in one, most meaningful way: Get out and vote for leaders who understand what is at stake and who have people and communities, not corporations (and their billionaires) as stakeholders. You should know what their position is on personal privacy and data protection. Don’t be afraid to ask hard questions if given the opportunity – your safety is at stake. However, if you are looking for a break from activism and politics (let’s be honest, who isn’t?), here’s a smaller, achievable new year’s resolution: start using a password manager and better passwords for all your critical services.

The best, most useful technologies are ones that are focused, limited in scope and, ironically, change more slowly than the “normal” pace of technology. This isn’t a new revelation, and nothing in 2020 or years before lead me to believe this will change any time soon. If anything, use this as a rubric to assist you in identifying what technologies you wish to “get better at”. Frustrated at the confusing changes on your new smartphone? Focus on the core things you need it to do (not what it’s capable of) and learn how to make those services consistent and worry free. If you can’t make it either of those, then perhaps the device is ill-suited to the task. The very root of technology is the Greek technos and logia which literally translates to “the manner or means by which a thing is gained.” Technology is a means to an end and not the end itself. If a device, app or service is making it hard to achieve something – it’s the exact opposite of technology.

Reuters reported on Dec 13, 2020 that several high-profile government departments have been hacked, and had been compromised as far back as March of this year. Early research points to Russian military-backed advanced persistent threat group known as “Cozy Bear” who utilized what’s known as a supply-chain exploit to penetrate the US Commerce, Treasury and Homeland Security departments, as well as up to 18,000 other US government and business targets. At the moment, officials confirm that the Russian hackers had full access to internal emails of the US Treasury and Commerce departments, but security researchers fear that this is only a small part of what is looking like a huge breach.

“Welcome to the club?”

While you might be tempted to savor some schadenfreude at their expense, the implications of this attack will be profound for the government and many Fortune 500 companies that were also likely compromised. This is also a bad look for managed service providers like C2, as source of the breach was MSP giant Solar Winds who, ironically, provides the technology management and security for the hacked government entities, and, whose own security monitoring platform was the source of the compromise.

As you’ve heard me say numerous times, there is no amount of money spent or technology applied that will provide you with a bullet-proof, perfectly secure environment. The fact that the largest MSP in the US can itself be compromised and used as a weapon against its own customers demonstrates this lesson unequivocally. The best protection from malware attacks and security breaches is a multi-layered approach:

1. In addition to having proper antivirus and spam filtering, firewalls and updated software, your employees should be trained regularly on technology security.
2. Your critical data should be backed up offsite. Not just server data, but possibly email and files on company principals’ personal computers. Remember cloud filesharing does not equal backup.
3. You should review your company’s security policy, especially if it hasn’t been updated with work-at-home specifics, and make sure that employees get a refresher on any changes made to the policy.
4. Your company should have at least an outline or basic disaster recovery and business continuity plan.
5. If you don’t already have it, consider acquiring cyber liability insurance that will cover security breaches, especially if you are a part of a regulated industry that deals with confidential data for clients and customers.

It’s hard to see how the pandemic could bring about anything positive that wasn’t gained at the cost of over a million dead (worldwide), but the change it has wrought is irrefutable. Certain industries like food services and hospitality have had to reshape their entire business model, and many that couldn’t change fast enough succumbed as the entire world retreated to our bubbles. Not surprisingly, most professional services firms (accountants, lawyers, financial advisors, banks, etc – and yes, MSP’s like C2) after the initial panicked spasms were overcome, turned out to be well suited to work remotely, and many are now making a leap of faith to go fully virtual permanently by eliminating one of the larger expense lines in their budget – the office lease.

In most cases, there is no technological reason why some companies can’t go completely virtual. Note the words I emphasized there. For several industries, especially the ones that were born of the digital age, business technology is easily well ahead of the need curve for the majority of organizations in that industry, so far ahead in some cases that many have no idea of what is possible and don’t even consider it. Let’s assume that the technology exists for your company to go virtual, so instead it may be useful to examine the reasons why you might need to consider carefully before tearing up that office lease.

Look before you leap!

As has been made painfully obvious by our (mostly) self-enforced lockdowns, some of us are realizing how much we miss the hustle and bustle of a busy office. Indeed, many companies thrived on spontaneous interactions that can only occur when people are physically adjacent. If you’ve noticed a decrease in productivity or creativity despite everyone having all the tools they need, you may have been one of those companies that developed a culture that was built around face-to-face interactions. Switching to online forms of interaction like videoconferencing and instant messaging will be difficult for people, and certain folks will never consider it as a suitable replacement for those watercooler meetings. The pandemic will end and for staff that look forward to returning to normalcy it may be particularly disheartening to find out that their workplace also fell victim to Covid.

Physical offices allow for a certain level of technology simplicity and manageability that are not achievable (yet) in virtual companies. Granted, if the internet was down for the office, no one was getting any work done, but conversely, it also allows IT managers to ensure a consistent level of service and security that they could literally put their hands on by walking down the hall. Running a company on the back of the internet and personally-owned electronics presents a new layer of complexity that is not easily serviced by a traditional in-house IT department, and it multiplies the potential security vulnerabilities to a level that will be unacceptable for some industries without very careful planning and discipline.

You should also consider the management style of the company’s leadership. Are they used to managing by sight, i.e. they need to see that their employees are busy and engaged, or can they trust that their people know what needs to be done without being physically supervised? It shouldn’t surprise you to know that while it is technologically possible to supervise remote employees just as closely (if not closer) as if you were standing over their shoulder, most folks will find this intrusive and offensive, especially if they are working from home. While I would argue that this type of leadership is perhaps a relic of bygone eras and definitely less effective in today’s workforce, I still regularly encounter it and know that leaders who rely on this style are especially frustrated by virtual staff.

Make no mistake, virtual companies are here. They were here well before the pandemic and I’m seeing many more making the transition as each week passes. While it may be tempting to consider permanently striking real estate leases off your budget, make sure you consider the underlying costs that might not be easily summed up on a spreadsheet.