I’ve spent the last 2 blogs getting you pumped up to upgrade to Windows 10, but you should know that despite being an overall improvement from Windows 7 and 8 in many ways, there are several aspects of the “new” operating system that are markedly different from Windows 7, and a few that are, in my opinion, a step backwards from the stability of Windows 7. Regardless of these blemishes, none of us are being given an option to live in the past except at increasing risk, so get ready to love Windows 10, warts and all.

The Bad and the Ugly (Sorry, no “Good” today!)

If you’ve not spent any time doing work on a Windows 10 computer, these may be eye openers for you and as near as I can tell, they are unavoidable for the moment:

• Windows updates are forced. You can defer them for awhile, but at a certain point, you will get updated if you are connected to the internet. There are ways to work around this to a limited degree, but it’s not recommended unless you know specifically that a Windows 10 update will break an application on your computer. And even in these special circumstances it is in your best interest to get that app updated so that it will be in-step with Microsoft’s update cadence. The longer you go, the more onerous the update will be when it happens. See the next wart to understand why you don’t want this
• Windows updates will sometimes temporarily slow down your computer A LOT. Depending on the size of the update, this may be for a few minutes, or, for slower, older computers, the slow down will be several hours and it…will…be…punishing. You can’t stop it (without dire consequences) and there really isn’t any way to make it go faster other than to stop using your computer altogether while it’s updating.
• Windows updates will break your printers (sometimes). I know it’s Microsoft trying to be helpful by providing “updated” printer drivers for your installed printers, but 9 times out of 10, their driver isn’t as fully featured as the manufacturer’s driver, and on older printers, often doesn’t work at all. Be prepared to reinstall your printer drivers after a major Windows update.
• Windows updates will break your PDF reader setting. Again, Microsoft is trying to be helpful by providing you with a PDF reader by changing your computer’s default PDF app to it’s new browser Edge, and to be fair, it does an OK job as a PDF reader. But for those of you who spent an arm and leg to pay for Acrobat, I’m sure that Microsoft’s cheekiness rubs you at least $200 in the wrong direction.
• The fancy new Start Menu will occasionally be populated by games and apps that you did not install. I won’t provide an excuse for this behavior. I find it galling but put up with it because I’m too lazy to remove them, and frankly, I don’t even use the Start Menu, so I don’t see the blatant marketing. Again, there are fixes that require a certain amount of Macguyver’ing that most folks just won’t do, so get ready to ignore yet more advertising on your computer.
• Cortana is useless. It’s not Siri, Alexa nor is it OK Google. I’ve not met anyone who finds it useful or even accurate on a consistent basis. Don’t even bother. You can turn it off but you can’t remove it (yet).
• Windows 10 wants to control your other application defaults. This particular aspect isn’t as consistently annoying as the PDF one mentioned above, but Windows 10 will occasionally challenge you by changing your default printer, internet browser, photo viewer and email reader to the Microsoft designated app.

I’d like to say that none of these are showstoppers, but for many of clients the top 2-3 are frequent work-stoppers, often enough that they’ve come to dread Windows updates almost as much as we do here at C2. I’ve talked a little about this in a previous blog, but despite quite a bit of rabble-rousing from our industry, Microsoft continues to use us as captive beta-testers. Unfortunately, most average Windows users don’t make good testers, so it’s become something of a vicious circle. Over the years of using Windows 10, the one thing I’ve noticed is that the longer you put off applying the updates, the worse it gets in terms of impacting you at exactly the wrong time. My best advice for everyone using Windows 10 – apply those updates on your own terms – don’t wait for Microsoft take that decision (and time) out of your hands.

Image by Gerd Altmann from Pixabay

If you don’t have a Google account or use the Google calendar feature, you can stop reading and maybe read something from our back catalog. Still with us? Good, I’ll explain what’s happening, and then how you can plug this particular vulnerability. To put it simply, scammers are sending calendar invites to Google users that have malicious links embedded in the text of the invite. Not so bad, right? You know how to spot those. Except these aren’t emails – they are calendar invites that are being automatically added to your calendar courtesy of some default settings that Google has still not changed despite being warned about it nearly 2 years ago. The problem comes when these fake invites actually pop up as a notification on your phone or computer, and as we are all trained to do, we click to get more information, possibly on a disguised link in the text of the invite, and BAM, you are infected.

Here’s how you stop this

You have to do this via a web browser, and I would recommend using a computer instead of your phone, mostly so you can confirm you are changing the correct setting by matching what you see with the screenshots below.

Log into your Google Account. This link will take you to your calendar if you are already logged in, or to the login screen if you are not – https://calendar.google.com/

Look for the gear icon in the upper right corner of the calendar web page and click “Settings”:

Under the “General” menu, click “Event settings” and then look for the “Automatically add invitations” setting which probably says “Yes”:

Change that setting to “No, only show invitations to which I have responded”

Next you may want to consider disabling Google’s “Events from Gmail” function which automatically adds events to your calendar based upon emails you receive, such as flight confirmations, restaurant reservations, concert ticket receipts, etc. If you don’t regularly rely on this feature, you should turn it off until Google is able to further secure calendars from fake invitations.

If you want to disable this feature, look in the left column for “Events from Gmail”, click it, then uncheck the “Automatically add events from Gmail to my calendar”.

Finally, if you already have fake invites in your calendar, you can report them as spam, and Google will automatically remove any other invites on your calendar from that same sender. You also have to do this from a computer web browser. Do not do this from your calendar app on your mobile device.

To report a Google calendar event as spam, find the event in your calendar, open it and then click the three-dot icon “Options” and then select “Report as spam”:

Photo courtesy of Stuart Miles from FreeDigitalPhotos.net

In case you haven’t already been scared silly by the concept, “deep fakes” are a new classification of videos wherein the faces of the subjects of the videos, usually short clips from movies or talk shows with easily recognizable actors, are replaced with a different face. While skilled video and movie special effects editors have been doing this for decades, the effect was usually obvious and it took an expensive special effects studio to produce the result. Now, we have YouTubers producing clips like the below which is amazing and terrifying at the same time:

What this means for you

The amazing part is easy to see (or not see). At some point in the video, I forget that I’m looking a Bill Hader and can only see Arnold’s face, which coupled with his excellent impression of the Governator, makes it look AND sound like Schwarzenegger is sitting with Conan instead of Hader. The terrifying part? This was done by one guy using open source software that doesn’t require an entire special effects studio team to produce.

If that isn’t enough to put a chill in your bones here are a few recent deep fake news stories that should wake you right up:

• The Democratic National Committee produced a deep fake video of their own chair Tom Perez for this year’s Def Con (one of the biggest hacker conventions in the world) to highlight the dangers deep fakes present to the 2020 elections.
• A Chinese app maker just released a free app on the Chinese iOS App store that can use a single picture to replace actors’ faces in a collection of famous movie clips.
• A scammer used a deep fake audio application to impersonate the voice of a UK energy firm CEO which was convincing enough to trick an employee into transferring over $200k to an unauthorized bank account, from where it was quickly transferred and laundered through multiple international accounts.

There’s that elephant again, though at least this time, there are a lot of people talking about it. Technology is again racing ahead of ethics, morality and law, and shows no signs of stopping. Will it take money or elections being stolen before anything is done about it? Have we hit a point where society will always be trailing technology, picking up the broken pieces and taping together integrity as best we can?

Image Courtesy of Stuart Miles at FreeDigitalPhotos.net

I’m pretty sure most of us pay very little attention when our mobile phones ask to update the installed apps, even if during that process your phone asks if its OK to grant new permissions to an app that needs access to your contacts, camera, phone or local filesystem. The app is already installed on the phone and you use it (sometimes), so where’s the harm? Unfortunately for millions of Android users who had an app called CamScanner on their phone, the latest version came with a malware delivery vehicle called a Trojan Dropper. This bit of software, once installed, can reach out to a designated server on the internet and download encrypted code which can then be decrypted and run on the device without any action required by the phone owner.

What this means for you

Unfortunately for Android users, even the ones that keep on the straight-and-narrow and only install Play Store apps, staying inside Google’s “walled garden” is sometimes more like wandering around a hedge maze full of holes, thorny bushes and no clear exits. Earlier this month, Google had to remove 34 apps that collectively had been downloaded over 100 million times because they contained a similar bit of malware called a Clicker Trojan. In cases like the Dropper and this Clicker Trojan, the software is designed to allow hackers to covertly subscribe the users to costly subscription services and repeatedly open websites in massive advertising click-fraud campaigns, generating millions of dollars for the attackers, often going completely unnoticed on the compromised phones.

As with many types of malware infections, the underlying cause is often either a lack of understanding of how phones can be infected or what that behavior might look like on a mobile device, or, in many cases, a lack of patience or even care for the diligence required to notice the problem in the first place. If you need some basic guidelines on navigating the mobile app safety maze, here are some things you should always observe:

1. Remove any apps you aren’t using, especially ones you don’t remember installing.
2. Always read the reviews on apps that you are considering installing. Look for complaints about ads, popups, unusual behavior or suspicious permissions requests.
3. Keep track of what you install, and observe your phone closely after installing a new app. The Clicker Trojan mentioned above didn’t activate until 8 hours of being installed to avoid detection.
4. Always be suspicious of an app’s request for unusual permissions. If you want to be on the safe side, deny all permissions during install, but be aware that many legitimate apps need access to various functions of your phone to operate properly, and denying permissions will likely cause the app to function poorly or not at all.
5. Never install apps from any store other than the official Apple or Google stores. Jailbreaking or rooting your phone, even if you know what you are doing, is not recommended, and at minimum will void your warranty and absolve the carrier and phone manufacturer from providing any kind of support.
6. Watch your phone bill and credit cards for unusual charges, especially if you have your bill set to auto-pay through credit card.

Ransomware attacks are on the rise. Depending on which security company you get your news from, the percentage increase from 2018 varies from 110% to a whopping 365% as reported by Malwarebytes Labs. Also important to note: attackers are going after government institutions in the US in a noticeable way. Since the start of 2019, there have been 22 documented attacks on city, county or state governments, including the high-profile incident in Baltimore which I wrote about back in May of this year which has thus far resulted in $18 million in remediation costs and lost revenue. Not to be outdone, the state of Texas can add new record to its list of big things: 23 local government organizations were attacked simultaneously in what is being called the largest coordinated ransomware attack against multiple government entities…so far.

What this means for you

Unless you happened to be served by one of the 23 unlucky institutions affected by this attack, this will be one more splash of water in our ongoing drink from the malware fire hose. Texas officials are keeping mum so far on who-what-where’s of the attack, but if I had to guess, someone got phished via email, gave up credentials, which led to the hackers being able to drop malware on critical systems that all went off on August 16th. Given the breadth of the attack, it’s likely the attackers have been working this particular set of targets for months, meaning it was organized and purposeful.

You might not have noticed this, but ransomware attacks had slipped to the background in 2017, but they are back with a vengeance and focused on businesses and government entities because the hackers realized deeper pockets are just as susceptible to ransomware, and are more likely to pay ransoms because they can’t afford to not pay, as seems to be painfully exemplified by Baltimore’s ongoing recovery. As always, your best protection against this type of malicious, technological pollution is a multi-layered defense perimeter that consists of at minimum: email filtering, workstation and server malware protection, a strong firewall, and cloud-based backups. If you can add employee training to that list, you will be much better protected than your neighbor or even the competition. And in case you were wondering where you might be able to cover all these bases with one call, just give us a ring.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

It’s a day ending in “Y” so that means yet another company CEO is on the news apologizing for exposing your PII to the internet. This time around it’s Capital One CEO Richard Fairbank having to say sorry for letting a hacker get access to approximately 100 million US and 6 million Canadian credit card applications. While Capitol One was quick to try to downplay the severity of the the incident, asserting that no credit card numbers were stolen, there is no sidestepping the fact that the hacker, who has since been arrested, was attempting to sell information that includes 140K US Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as an undisclosed number of names, addresses, credit scores, limits and balances.

Not feeling violated enough yet?

To add to everyone’s continuing dystopian nightmare this week, Apple was recently caught in a glaring contradiction to its ongoing marketing message of being a champion of its users’ privacy. Despite buying huge billboards touting that “what happens on your iPhone stays on your iPhone”, a whistleblower has shared damning details on Apple’s use of contractors who have access to numerous private and very sensitive audio snippets recorded by Siri. According to Apple, only a small number of Siri requests are reviewed by humans for accuracy and algorithm tuning, and supposedly these small audio files are semi-anonymized to protect user privacy. Not so, says the whistleblower. As anyone who uses a voice-activated device can attest, Siri and its ilk can perk an ear up even when not being directly addressed, resulting in plenty of unintended recordings that people would definitely not want shared.

“…you can definitely hear a doctor and patient, talking about the medical history of the patient. Or you’d hear someone, maybe with car engine background noise – you can’t say definitely, but it’s a drug deal … you can definitely hear it happening. And you’d hear, like, people engaging in sexual acts that are accidentally recorded on the pod or the watch.”

Anonymous Apple Contractor to The Guardian, 26JUL2019

An important distinction needs to be made with regards to Apple’s voice recognition data gathering practices, especially since they themselves take great pains to tout their privacy advocacy. While Google and Amazon both allow some opt out options on the use of their recordings, Apple does not offer this option short of disabling Siri altogether.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net