Having your company’s operations halted due to a ransomware attack is pretty high up on the list of nightmare situations for any business owner. Depending on the severity of the attack and the state of your backups and business continuity plan, this could mean days of downtime while data is restored, and systems sanitized. In the case of a storied Illinois college, it took them months to restore services after a ransomware attack in December 2021, and by the time systems were brought back online, the downtime was enough to hammer the final nail in the coffin for Lincoln College, a 157-year old institution that was already financially reeling from the Covid pandemic.
What this means for you
It’s unclear from the small amount of information available on the incident on why it took so long to restore systems at the college, but if my time in the higher-education industry illuminated anything for me, it was that academic institutions aren’t always at the forefront of technology security or disaster recovery, mostly because of underfunded technology budgets. If I had to name one thing that always catches ransomware victims off-guard, it’s the misconception that their particular company or organization is not worthy of being targeted for these types of attacks. While cybercriminals are definitely targeting high-value organizations in a very specific and determined manner, there is a wider, more generalized “net casting” of ransomware attacks that are more opportunistic and seem to care not for the financial means of the victim. Lincoln College may have not been targeted specifically – someone with sufficient privileges to key systems may have inadvertently fallen into a widely-cast phishing net (a broadly targeted phishing campaign), and once the hook was set, the hackers moved in for the kill, not caring (or even knowing) that the college was already in dire financial straits. What most people don’t realize is that there is literally no financial disincentive for hackers to attack, hook and ransomware as many targets as possible. It costs them literally nothing to spread ransomware, and if the victim doesn’t pay, they just move on to the one that will. Unfortunately for victims without proper data backups and a business continuity plan, that random attack could shutter the business for good.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Last year we wrote about T-Mobile getting massively hacked, which essentially led to their entire customer database being leaked. This was a problem because among the information leaked were cell numbers and their associated, unique IMEI numbers which in theory could result in phones getting duped and/or services for accounts being switched to a different phone if the hackers had access to some of T-Mobile’s core systems. And now we’ve come to discover they did in fact have that privileged access, though we do not know to what extent it was used to exploit the information they most assuredly had. T-Mobile has since confirmed that hackers did have access to very sensitive data, including source code and privileged accounts, which the hackers themselves have boasted about stealing. As revealed in private chat logs acquired by security researchers, the hackers also admitted to not being able to access law enforcement and DoD T-Mobile accounts to attempt sim swaps, but it’s not clear if they were successful with non-government accounts.
What this means for you
Many people use texts sent to their smartphones as a second-factor authentication method. If a hacker were able to SIM-swap or dupe a phone used as such, and they had other elements of that person’s digital life, such as logins and passwords to online banking that are protected by SMS-based second-factor, then those accounts are no longer secure, and most likely exploited. The most important element of a second factor is the fact that it is something that is in your sole possession, and this hacking group’s access to secure T-Mobile account management systems completely undermined that security method for T-Mobile devices.
As is to be expected, T-Mobile has been tight-lipped about whether or not it has been able to keep hackers out of their core account management systems. Supposedly they are safeguards in place that prevent the tools from being run from unauthorized computers and networks, but according to the same chat logs mentioned above, it was clear this particular threat group already had this particular problem solved. Even when compromised credentials were shut down, this group continued to secure new, usable credentials either by buying them through the dark web or tricking actual employees into giving up their credentials. By their own alleged admission, the leader of this threat group shut down their backdoor access so as to not draw too much attention to their efforts before he was able to achieve his personal objective of stealing T-Mobile’s source code. This did cause some infighting within the threat group as there was a faction that wanted to keep trying to gain access to government accounts, and others that wanted to target high net-worth accounts for SIM-swapping and account takeovers.
Fortunately for us, and possibly for T-Mobile, seven teenage members of the threat group behind the T-Mobile hack have been arrested. Ironically, they were identified probably by getting doxxed from within their own hacking community which appears to be rife with infighting and drama, just like any other large, online community. Does this mean you can trust T-Mobile’s security? I moved my family’s service off T-Mobile despite being a fan of their customers service for years. Is the carrier I moved to any more secure than T-Mobile? Only time will tell, but they, like all the others, are run by humans, and as we all know, humans make mistakes. Is it time to add another line to the list of life’s certainties? Death, Taxes and Hacking? Somedays it certainly feels like it.
For those of us who’ve been using computers in the workplace for more than a decade or longer, we have frequent “Pepperidge Farm moments” about technology (and other stuff too, let’s be honest!) but for good reason. How many of you have been grinding through emails for the better part of a Monday morning, gathering up a pile of work, and when you go to open that attachment (which you know is safe, right?) and instead of getting to work, you get password checked. More often than not, if you are from my generation or possibly older, you’ll grind your teeth while looking up those credentials and reminisce about those halcyon days when apps just opened and let you get to work. They didn’t need constant updates, repairs and password checks. You opened them, did your work, and maybe left them open for days at a time, because they didn’t need to be relaunched three times a day just to keep it functioning.
Get off my lawn?
I know that joke doesn’t play as well for the younger crowd, but while they are quietly chuckling about our obsession with ancient technologies like email, they too are subject to the same plague of passwords and the various hoops we all have to jump through in our current technology age, and they don’t have those yesteryears to view through nostalgic glasses. Those bygone days may have seemed glorious; some of us remember when your appliances didn’t need Bluetooth to wash clothes, or doorbells needing WIFI to work properly, or needing a phone app to get a date. But those were also the days when pregnant women drank and smoked, kids rolled around in the backseat or cargo space without seatbelts, and computers (and ourselves) weren’t connected to the internet all the time.
The internet is and will be a permanent part of our culture, business and human progress, whether we like it or not. It has allowed us to globalize and democratize in a way that eclipses every other technology before it, but as I have mentioned before, not without a razor-sharp edge that cuts both ways. The rise of cyberthreats have forced our technology tools (and toys!) on a security march at a pace that no sane consumer finds comfortable, and the only way technology companies can keep us (moderately) safe and stay profitable (and therefore viable) is to move their pricing models to subscription-based services to support the constant development costs. Which also means for the foreseeable future you are going to have to regularly prove you have the right to use the technology to which you subscribe. The only way passwords go away is if we find a better way to authenticate you as you, and so far, even though the need and the threat has existed for well over a decade, no one has found a better, cost-effective solution than the password.
Image by Gerd Altmann from Pixabay
Back in February I wrote about a nasty new trend of hiding Apple’s AirTags to covertly track targets for various illicit and possibly harmful pursuits. At the time, the media had a handful of reports of the small tracking devices being used to locate and steal cars, and 2 high-profile instances of alleged stalking but it seems to have been enough negative attention to get Apple to address this unintended use case. Since the reporting in Februrary, Apple has made some changes to the technology that will make unwanted or hidden devices easier to find, which appears to be working more or less, as police report filings seem to be demonstrating.
What this means for you
From reports acquired from eight police departments, Vice Magazine identified 150 reported incidents involving AirTags, and 50 of them were from women who detected and/or found unknown AirTags being used to track their location. Using GPS devices and software to track people covertly isn’t new, but the widely available, cheap ($29) and easy-to-use AirTag has delivered a stalking tool of nightmarish proportions. On top of this, if you don’t own an iPhone and aren’t aware of the Android app (Apple’s app and the open source one I recommended on my previous post) that can detect unwanted AirTags or aren’t even aware that such a technology exists, it’s quite possible there are plenty more people who are being stalked and just don’t know about it. Just doing back-of-the-napkin math based on an average of six reports per police department, with approximately 18,000 police departments in the US, we’re looking at potentially over 100,000 potential victims, just in the US. Unfortunately for everyone, this technology cat is well out of the bag – estimates have as many as 25M of the devices sold since launch, and even if Apple was to stop producing this device, a dozen cheap copy-cat devices will step right into the void, with or without Apple or Google’s permission. Even more disheartening was the reported knowledge gap many victims encountered from local law enforcement when reporting the digital stalking. It’s not even universally clear whether using AirTags to stalk someone is a crime, nor would it be practical for law enforcement alone to police this problem. We have yet another technology pickle on our hands where perhaps profit got ahead of thoughtful and ethical implementation.
Image by Tumisu from Pixabay
Though it won’t be something most of us would like to hear, staying safe in technology is no longer a matter of being savvy, street-smart and vigilant. The concept of “rugged individualism” is considered one of the foremost tenets of American culture and stems from the countless (and most likely glorified) stories of pioneers and young entrepreneurs fighting what seems like impossible odds to come out on top, merely through tenacity, ingenuity and pluck. What the history books fail to share are the numerous accounts of everyone else barely surviving, or in many cases outright failing. Make no mistake, even experienced technology experts are getting hacked, so the chances of you coming out unscathed in today’s dangerous internet environment are slim to none.
What this means for you
Most likely you are in fact experienced, street-smart and savvy. You might be able to troubleshoot basic technology issues, navigate bizarre support bureaucracies to get a password reset, and even change a tire or check your own oil on that Honda Accord that’s still running like a champ after 100k miles. You know better than to use “Secret1234” as a password, and you’ve even figured out how to block some trackers in your browser from sniffing out your shopping habits. Unfortunately, you’ve learned what would be now considered baseline survival on the internet. Unfortunately, the current state of internet security is thus: at no point can anyone, me or the leagues of hardened technology experts, sit back and say, “There! I’ve learned all I need to stay safe online.” Your internet safety habits are the equivalent of learning how to drive, and like most everyone, we still need a pervasive infrastructure, mechanics and engineers to maintain the elaborate systems that have become essential for us to pursue a modern life. The majority of us aren’t expected to be auto mechanics, or even roughly familiar with how a car even works, and likewise I don’t expect everyone to be a technology expert, BUT you mustn’t take it for granted nor undervalue the true costs of staying safe. The more reliant you become on technology, the more you will have to invest in either training yourself, or take the more practical approach of making sure you have an expert like C2 Technology on speed-dial.
Image by Schäferle from Pixabay
Though it doesn’t come as a surprise to most of the IT community, the Federal Communications Commission (FCC) recently added Russian software developer Kaspersky to its list of companies that should not be used by any entity that receives funding through the FCC. Given the current geopolitical climate, this move probably shouldn’t surprise most everyone else at this point as well. The Moscow-based security and antimalware company has been under significant scrutiny since 2017 after an explosive report from Bloomberg Businessweek exposed the company’s close ties to Russia’s intelligence agencies, leading to the software being banned on all U.S. civilian government networks shortly after its publication.
What this means for you
Depending on who you talk to (including C2), Kaspersky has been on the “no-fly” list for most (non-Russian) security advisors since at least 2017, and for many of my clients who grew up during the Cold War, the software has never been a consideration because of its Russian roots, even though it was considered highly competent in the early 20-teens. It was well regarded enough that it had enough American market penetration to the point that it had to be listed and banned to force its removal from the various U.S. government agencies that had based their choices on more technical versus patriotic considerations.
If you are using it, should you remove it? The answer is obvious if you are an entity that is covered by either the US government ban or the FCC’s prohibitions, but what about your family PC? Politics aside, there are enough solid replacements out there that sticking with Kaspersky isn’t worth potential risk or bad optics it presents to U.S. companies. As for your personal computer? It’s a personal choice, of course, but Kaspersky’s technology no longer stands out from the crowd so don’t give it an edge there. Go with an option that maybe has less baggage at the moment. For personal computers we like Webroot, Malwarebytes or Bitdefender, and if you don’t the extra cash for a paid antimalware platform, the built-in options on both Windows and Mac OS X are decent enough if you are vigilant and stay away from those questionable links in strange emails.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Given how complicated it was to set up organizational email services in the previous decade, today’s self-service offerings from Microsoft and Google have significantly eased the process of setting up email for your-company.com with an affordable, highly-reliable and relatively secure provider. It literally takes a handful of minutes (if you know what you are doing) to go from zero to email, but there are still plenty of gotchas that can render your new service less than perfect. If your recipients keep finding your emails in their junk folder, it’s possibly worse than not having email service at all. It would be impossible for me to outline all the ways in which this may happen, but there is a common gotcha you might want to investigate.
SPF? Is my email getting sunburnt?
Recently several of our clients have had problems with email delivery caused by incorrect SPF records. In this case, SPF is an acronym for “Sender Policy Framework” and not “Sun Protection Factor”, but much like forgetting the sunscreen on your day outside, not having proper email SPF will result in you getting “burned” as your emails are marked as spam by your recipient’s email servers. Without getting into the bloody details, the Sender Policy Framework is one way email servers use to verify the sender is who they say they are, “Is this email actually from C2, or is someone spoofing the sending email address?” While spoofers can fake your email address, they can’t typically change your SPF record (if they can, you have much bigger problems), so it’s a reliable source of verification if it’s set properly!
Here’s how you will know your email is getting marked as spam for having an improper SPF record. From your company’s account, send an email to an outside email address that you have ready access to, such as a personal Gmail or Yahoo account. You will need to check the headers on that email for SPF failures – the formatting and verbiage you need to look for in the headers will vary depending on the recipient’s email provider, but Google returns failures that look like this:
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate ##.##.109.66 as permitted sender) client-ip=##.##.109.66;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=TJLH3iac;
spf=softfail (google.com: domain of transitioning [email protected] does not designate ##.##.109.66 as permitted sender) [email protected]
If you find “Fail” anywhere in the header, that email will likely get marked as spam and will end up in Junk or Spam folders rather than the inbox. Now how does something like this happen? If you’ve gone through your providers guided setup process, or had email set up by someone like C2, your SPF records will be set properly, but if you recently made changes that might alter your DNS (like a website redesign!) or engaged a new cloud service that sends emails on your company’s behalf, you may need to check your SPF record to ensure it is set properly. You can check your current SPF record using a free tool at MXToolbox.com (not a sponsor, we just like the tools), but unless you are well-versed in DNS and domains, you may not be able to easily interpret the results. Either way, if your emails are getting delivered to spam regardless of your recipient’s whitelisting efforts, an incorrect SPF record may be the culprit and should be addressed as soon as possible!
Image by CrafCraf from Pixabay
After what felt like a golden age of Windows stability (ahh those glorious Windows 7 years!) we are back to Windows computers needing to be rebooted on a regular basis just to keep running smoothly. We can chalk that up to the frequent updates and patches that Microsoft is pumping out to try to keep us safe and running effectively. The unfortunate knock-on effect of this is everything else on your computer is also on this forced march of patches and updates, which means there’s at least one more indicator you have to watch. And if you are like most of us, it’s easy to miss that warning light!
What this means for you
Mozilla recently had to issue an out-of-band (meaning an unscheduled) patch this week for its Firefox browser to plug some security holes it said were already being exploited in the wild. To apply the update, you merely need to close and relaunch Firefox. The same goes for the other browsers – apply updates by closing and relaunching the app. If you are like 99% of web surfers, it’s highly likely your browser has been open and running since you booted up your computer, which also might also be long overdue for a reboot. Some of you are just focused on your work, and some of you have been burned often enough by long updates to carefully ration out the reboots to when you can afford to step away from the PC for what might be an extended bit of down time. Also, all the major browsers are fairly unobtrusive in alerting you about the waiting updates – it’s usually a small flag or dot in the upper right corner of your browser window, and let’s face it, you ain’t looking over there all that often, right?
Do yourself a favor and check to make sure your browser isn’t due for an update. If you are experiencing odd issues with web pages, or the computer is just running poorly, restarting your browser even when there isn’t an update waiting may free up some resources that will smooth out your computing experience. While it has gotten better over time, Google Chrome (and Gmail’s web interface) are notorious RAM hogs that will slowly soak up all available RAM the longer it runs. Microsoft’s Edge uses the same engine as Chrome, and while it seems to be a better steward of resources, it can still consume large quantities of RAM if you have many tabs open. And we all know you have many, many tabs open.
If there is one thing that is certain, if there is a useful technology invented that is supposed to benefit us, there is a corresponding negative usage that can and will be exploited. After the initial dopamine rush had worn off around Apple’s AirTags, people started waking up to the negative implications of a small, easy-to-conceal, wireless tracking device that utilizes one of the largest global networks in the world. Apple’s “Find My…” network is too useful to not be exploited, and the less ethical are already doing so.
What this means for you
Apple’s AirTags were initially created to track items that could be easily lost or stolen and ostensibly were made inconspicuous so that they weren’t unsightly and so thieves couldn’t easily find and discard the trackers. Once reports started flowing in of the “less orthodox” usage of AirTags, Apple immediately tried to get out in front of the problem by letting everyone know that AirTags themselves have unique, embedded serial numbers and their usage is tied to an Apple account – information they will surrender to law enforcement in a criminal investigation. But they glossed over something that more inventive hackers latched onto – what’s to stop someone from creating a “cloned” AirTag that simply bypasses Apple’s security measures? At the moment, nothing. Someone has already done so, and you can assume that Pandora’s box is not going to be closed any time soon without significant intervention from Apple.
Until that happens, you should get caught up on Apple’s lengthy advice on detecting and finding unwanted trackers. The article goes into great detail for Apple device users, so if you are an iPhone user, finding an unwanted Apple-made AirTag should be pretty straightforward (if not a wee bit unsettling). For the rest of us using Android devices, Apple has released an app called Tracker Detect (watch out for copy-cat apps!) that has to be activated manually. Not nearly as useful as its iOS counterpart, but at least they tried. If you’d like something a bit more robust and not funded by Apple, you can try AirGuard which was developed by a research team out of German university TU Darmstadt. I’ve tried both apps and while they appear to do no harm (other than possibly drain my battery faster), I can’t really verify that they work, as I apparently don’t have any unwanted trackers near me. Yay? Either way, if you suspect you are being digitally stalked, make sure you share your suspicions with your loved ones and authorities and get familiar with this site and its resources immediately!
Image by Thomas Wolter from Pixabay
It seems like common sense, doesn’t it? While accidents and mechanical failures do happen, getting hurt while using a chainsaw usually comes from not understanding what the tool is capable of, or how it works. Fire is hot and teaches a clear lesson in an instant, but Technology, despite having an almost unlimited potential to do harm, isn’t always so obviously dangerous like a chainsaw or stove burner. For certain, if you’ve been personally attacked or hacked via technology, you might be a bit more cautious with certain things than someone who hasn’t been “burned”, but unlike fire, technology is constantly changing, and consequently, requires constant lesson-learning. But it also requires a certain level of respect for its sharp edges which most ignore or forget.
What this means to you
As some of you might already know, being book-smart is different from being street-smart, and knowing how to use a piece of technology is a long way from being savvy about that same piece of technology. As an example, most of us know what email is and how to use it, but many still make poor decisions on using or sharing passwords because they don’t truly understand the consequences of doing so. I still regularly meet with clients who don’t understand why their email account getting hacked could have long-reaching financial impact on themselves, their employer and their customers. Not because they are dumb or foolish, but because they haven’t been trained, and our culture deemphasizes it in favor of shiny bells and whistles. Security is rarely featured in marketing and advertising to consumers – advertisers know that security is not sexy, and increased security is often equated with inconvenience or viewed as a necessary evil like warning labels. Similar to the way the mask mandate fight is colored as an issue of freedom instead of safety and compassion, considering security when making decisions about technology is fighting an uphill, cultural inculcation that has been around ever since seat belts were first invented. Humans aren’t always good judges of what keeps them safe – it’s something that has to be learned, and as an employer or leader, you will want to keep this top of mind when considering how to keep your organization and your people safe, technology or otherwise.
Image by Peggy und Marco Lachmann-Anke from Pixabay