A few years back I had an unusual request from a client to investigate their spouse’s online history for evidence of possible infidelity. I was asked to handle it discreetly and under the guise of investigating their computers for possible hacking or malware infection. Interestingly enough, it turned out that their computers had been hacked and the attackers had resurrected an old account from a dating site that the spouse had used when they were single. A friend had spotted the activity and brought it to the spouse’s attention who then brought it to me. Even though this cleared up one potential home-wrecking situation, it was only the tip of the iceberg for the couple, as this was only one of many accounts that had been compromised in the identity theft.
How many zombie accounts do you have?
One of the most overlooked double-edged swords of online services is the requirement of creating yet another account to access those services. These companies, for the sake of convenience, use your email address as the login, and it’s highly likely you, also for the sake of convenience, will use a password that is being used elsewhere, possibly repeatedly. Those of us who think of themselves as only “casual” online participants will have dozens of accounts, and those of who have lived and worked online since the birth of the internet will likely have created a hundred or more, with a large majority of them long forgotten and assumed dead and buried.
Many companies, from startup to Fortune 50, do not actively prune unused accounts, and many do not offer a way to remove or deactivate an account, regardless of whether it’s highly active or never been used. It’s also possible for the data of a company that has gone out of business to end up on another company’s server, also forgotten and not maintained by the new custodians, and worse, not even accessible by the customers that created that data in the first place. Unfortunately for us, out of sight is not out of mind for a hacker, and these forgotten troves of data are often not as well protected or even monitored by the company who is supposed to be securing it.
What does this mean for me?
First, stop using the same password for multiple accounts. If one company gets hacked and your data is compromised (Has your login or password already been compromised?), it’s only a hop, skip and a jump for that login credential to be cross-matched on a dark-web database. Suddenly that LinkedIn account which you haven’t used in years has risen from the grave and bitten you right on the you know where on an account that does matter to you.
Secondly, take a lazy Sunday morning to go through your email looking for new account emails from long-forgotten accounts. You can search for them by using phrases like “new account” or “your password” or “account activated”. Make a list and then consider deleting or deactivating any of the accounts you are not using. There is no tried and true way to do this – each service (if it still exists) will have a different process for removing the old accounts, and some will do their damnedest to keep you from leaving, but no one ever said that being safe online was easy, so buckle up and dig in.
Thirdly, consider deleting those very same emails you just found that led you to those old accounts, especially the ones you are planning to keep, and particularly if they actually contain passwords. If you found them, someone with unauthorized email accounts can find them as well and figure out ways to get into those accounts, especially if the emails contain passwords.
Image by Gordon Johnson from Pixabay
Videoconferencing darling Zoom stirred up a pot of controversy earlier this week after it first disclosed and then defended an apparent security weakness in its OS X video conferencing client. According to the security researcher who discovered and reported the flaw back in March of this year, the Mac version of Zoom installs a webserver on the computer on which it is used that will enable users to quickly make and answer Zoom calls. Unfortunately, the main reason they implemented this method was because the built-in security restrictions of the Mac operating system were getting in the way of this quick-connect feature, a “benefit” which Windows users did not enjoy. On top of this, even after the Zoom software was removed from the Mac, this local webserver remained in place, allowing for quick reinstallation in case the user needed to make or receive a Zoom call, the latter of which could be exploited to gain unauthorized access to the Mac’s built-in camera.
Subverting security for convenience is always good practice, right?
Initially, Zoom defended their Mac client methodology and insisted that the changes they made to the Mac client’s settings should be sufficient protect against any exploits of their software. The security researcher remained unconvinced that it was sufficient protection for Mac Zoom users and released his findings to the public alongside a proof of concept demonstration of a malicious Zoom invite attack. After about 24 hours of internet uproar over the vulnerability, Zoom reversed their position on the subject and has just released a patch that removes this feature, as well as adding a new menu choice to do a full uninstall of the software to remove the hidden webserver.
If you are using the Mac version of Zoom, you will want to update your software immediately if it hasn’t already prompted you to update. Windows users, for once, don’t need to do anything. Enjoy your small respite from the usual flood of security flaws.
Among the many problems of the internet, one of the most egregious is the fact that anyone can create a website, put it online, and not really be held accountable for what is actually published on said website. Let’s take the website of home automation company Orvibo, who, at the time of this article’s writing, states on their website:
“Cloud platform supports millions of IoT devices and guarantees the data safety.”
The claim that their platform supports “millions” of devices is backed up by the Orvibo database size, which appears to contain more than two billion records, but the fact that we know exactly how many records are in the cloud platform and that their database is currently open for viewing on the internet without a password is the exact opposite of guaranteeing data safety.
How can a company screw up so badly?
I’ve answered this rhetorical question several times in the past on this blog, but in case you’ve missed it: Technology is fallible because humans are fallible. They are also lazy and sometimes downright malicious, but in the case of the Orvibo database which remains open and accessible at the time of this blog’s publication, we have a stunning example of gross negligence and incompetence that is impacting millions of its customers in very personally identifiable ways. Among the two billion records that includes customers from China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. are email addresses, passwords, geolocation data, IP addresses and device reset codes. Given that Orvibo devices include home automation and security products, the data exposed in this open database gives hackers literally the keys to many family’s homes and hotel rooms, and could potentially endanger their actual lives.
What should you do if you are using Orvibo technology in your home or workplace? Discontinue using it immediately if possible, and if that isn’t possible, see if you can at least disconnect it from the internet and change any passwords used on the device, especially if it’s a password you’ve used elsewhere (also a no-no for just this very reason). It’s not clear when, or even if, Orvibo will address this vulnerability anytime soon, nor will we know whether the data has been access by anyone with ill intent, but in this case, erring on the side of caution is the best course of action.
Very early on, during my time as a young support technician nearly twenty years ago, I quickly learned that most people, particularly those who had grown comfortable working with office computers, frequently did not read many of the dialog and alert boxes that popped up on screen, which often-times led to unexpected or even deleterious results. Even if they did read what was presented (or thought they read it), most of the time they could not recall what the dialog box actually said. Despite what you might think, this is actually very human, and not limited to technology use. When performing menial tasks (as many things we do on computers now are), we are prone to learning how to do them as quickly and efficiently as possible, which includes tapping “OK” as quickly as possible to the numerous prompts our devices pose to us throughout the day. You may have already noticed that many online services, apps and websites have taken advantage of this tendency and present patterns of interaction that mimic expected use, but lead to unexpected outcomes, like accidentally downloading and installing antivirus protection that we don’t need, or adding a paid subscription service for an app that was supposed to be free.
I can feel you clicking “Get to the point, Woo…”
While most people have come to expect that websites and online platforms are going to gather demographic information on them and show advertisements that can sometimes seem uncomfortably accurate, they are not as jaded as yours truly to believe that these same “free” services aren’t actively trying to deceive them through misleading and/or confusing interfaces, dialog boxes and obtuse language, but a recently published European study found that this is exactly what they are doing it, and it’s no accident, nor, if you think about it, is it a new practice. McAfee and Adobe have been doing this for years with their Adobe Reader – McAfee Security Center downloads, and I’m pretty sure every single one of my clients has fallen victim to this particularly trap at least once, despite years of warning about the dangers of clicking “OK” before reading the message. Heck, even IT professionals like yours truly have fallen victim to clicking when in a hurry because, we (despite appearances sometimes!) are human too.
At least two US Senators have finally deigned to do something about the alarming increase in deceptive interface practices and have floated new legislation creatively named “Deceptive Experiences to Online User Reduction Act.” The DETOUR Act would give the Federal Trade Commission the legal means to regulate the use of purposefully deceptive or confusing practices to steer users to decisions that may not be in their best interests or subvert expectations, something they have been monitoring in traditional advertising for decades. For now, this legislation is still in committee, but we can take a small measure of hope that this bipartisan bill finds its way to the voting floor soon. Make sure you contact your Congress-critter to let them know that this is important to you.
Image by Gerd Altmann from Pixabay
Since the advent of online discussion forums and the resulting need for forum moderators that can reign in unruly participants, there have been endless (if constitutionally ill-informed) debates in the US about free speech rights and their applicability to the internet. This particular debate has loomed ever larger as social media’s sudden dominance in politics, economics and ethics surprised even the gloomiest doomsayers in the past three years. Last year, the New York 2nd Circuit Court ruled that a public access TV channel had violated the 1st amendment rights of two producers who appeared to have been fired for criticizing their employer. The TV channel, Manhattan Neighborhood Network appealed to the Supreme Court who just earlier this week reversed the decision.
How does this apply to social media?
The details of the case at first don’t seem to apply at all to social media: MNN is a state mandated and funded public access network, an entity that most analysts agreed would appear to be subject to 1st Amendment jurisdiction. Social media platforms, on the other hand, are clearly not state-owned or operated nor is access to them mandated by any state or federal law. Surprisingly, the decision to reverse the 2nd Circuit ruling was led by the “conservatives” on the court, the exact opposite of what was expected by many conservatives pursuing free speech cases against YouTube and other media platforms for their alleged “anti-conservative bias.”
Instead, the majority opinion took a rather narrow view of public forum doctrine, stating that even though the creation and operation of MNN was mandated by the state, it is operated as a private company in a function that is NOT the exclusive domain of the state, much the same as every social media platform in existence. Just because a private entity (even one as big as Google/YouTube) allows everyone to post and participate does not turn it into a protected free speech zone. Justice Kavanaugh states in his conclusion:
“A private entity […] who opens its property for speech by others is not transformed by that fact alone into a state actor.”
While the court did not directly call out social media platforms in their decision, even the dissenting opinion, written by Justice Sotomayor, seems to leave little room for creative interpretation, and seems to be speaking directly to the heart of the matter:
“The First Amendment leaves a private store owner (or homeowner), for example, free to remove a customer (or dinner guest) for expressing unwanted views…. In these settings, there is no First Amendment right against viewpoint discrimination.”
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
One of the basic problems with collecting a lot of data is that you need a place to store it, and if it’s sensitive data, you need to store it securely. Unfortunately for everyone, the amount of private data all companies are amassing on their customers is accelerating as everyone (except the customers) realizes just how lucrative this practice is. Or, as is the case for more and more companies who get breached, how costly it may end up being if they can’t keep that data safe, as both party-planning website Evite and United States Customs and Border Protection owned up to this week.
What this means for you
While US CBP has not officially released information on the scope of their leak, sources have confirmed that facial recognition data and license plates for up to 100k individuals crossing the Canadian border were stolen from a CBP subcontractor who was storing and using the data outside of the CBP network on their own systems, which were then breached by an as yet unknown attacker.
In the case of the Evite breach, the website was actually notified several months ago that they had been compromised, but only just now acknowledged that customer data from 2013 was stolen in a breach that appears to have happened in February of this year. No financial information was leaked, but names, emails, IP addresses and passwords were definitely stolen and made available for purchase on the dark web in April.
As is typically the case in these types of breaches, there is not a lot you can do as an individual. Evite, of course, has supposedly notified affected individuals of the breach, and is encouraging all users to reset their passwords as a matter of course. And if you happened to be one of the 100k or so individuals passing through a particular Canadian border crossing which is as yet unnamed, you might never know if your data was part of this particular breach.
In what is likely to be a developing (and increasingly bad) news story, two major medical testing companies have announced that their customers’ information has been exposed by a data breach at a vendor that both firms use for payment collections. The firm, American Medical Collections Agency, informed its two clients separately of a persistent security breach that over the course of 8 months, 11.9 million Quest Diagnostic customer records and 7.7 million LabCorp customer records were exposed and most likely stolen by as yet unidentified threat agents. And seeing as this company also has several other, as yet unidentified clients, it’s likely we will see even more disclosures from those companies once the full extent of the AMCA breach is explored.
But wait…there’s more!
Real estate title insurance giant First American Financial Corp. is currently under investigation by regulators for what appears to be a colossal security failure wherein their website exposed over 800 million documents dating back nearly 16 years that contained customer bank account numbers, Social Security numbers, mortgage, tax and wire transaction records as well as drivers license images. Unfortunately the security researchers who originally discovered and confirmed the glaring privacy breach have no way to determine who else accessed the documents during the nearly 2 years it was exposed, but as you can imagine, this level of confidential information is exactly what identity thieves dream about every night.
What’s to be done about this?
At most, you might be able to participate in a class action lawsuit against First American. As of yet, no litigation has been opened against AMCA, and frankly, most people would have no idea who either of these companies are, as they don’t deal directly with the people who are affected by their breaches. Surely regulators and lawmakers are going to punish these companies significantly, especially in light of egregious lack of diligence as in the case of First American. Surely companies will stop doing business with vendors that aren’t taking security and privacy seriously, right? The fact that companies like Equifax are still in business says otherwise, so the only way we are going to see these companies held properly accountable is to vote in lawmakers who care more about their constituents than their corporate donors.
As you are reading this, major parts of Baltimore, Maryland’s IT infrastructure are still offline, including its email system which was only just redirected to Microsoft’s Office 365 platform so that some form of email delivery could resume. That makes it over 4 weeks without email for city employees and services. For any normal business this would definitely qualify as disastrous, but is it an actual “disaster” by government standards thereby qualifying for the federal aid such a designation bestows? It’s definitely worth considering that if the IT recovery effort doesn’t start picking up steam soon, failures in critical city infrastructure could create life-threatening situations and further breaches of security and privacy in adjacent sectors that rely on the missing city services.
The Real Disaster: A failure in management and budget
While sources have reported that the ransomware attack was likely caused by a city employee falling for a phishing attack, the real failure was the city government’s utter mismanagement of their IT infrastructure, which at the time of the attack, was powered by systems built decades ago that have been chronically under-supported by a budget of less than half of the national average, and run by a series of CIOs that appeared to be, at best, in way over their heads or at worst, possibly criminal.
Unfortunately, rather than taking a hard look at their management failures, city leaders instead are trying to lay some of the blame at the feet of the federal government, more specifically the NSA who is purportedly the original source of the EternalBlue exploit (leaked in 2017) that was part of the ransomware code used to shut down Baltimore’s IT. Call me cynical, but if it hadn’t been some bit of code powered by NSA-developed exploits, it was only a matter of time before Baltimore’s poorly funded and managed IT systems fell victim to some other form of attack.
In case you aren’t picking up what this story is laying down, here are the lessons any city or business should take away from Baltimore’s “disaster”:
- Make sure you are maintaining a proper IT budget. Baltimore was spending half of what they should have been spending for a city of their size.
- Make sure your employees are properly trained on workplace technology security. They don’t need to be security experts, but they should know how to spot a phishing email.
- Make sure your critical systems are backed up and a proper DR plan is in place. A lot of Baltimore’s headaches would have been cleared up much sooner with proper backups.
- DIY IT is no longer an option for any serious business. Modern, secure IT services require professionally-maintained and monitored systems for which most businesses lack funding or expertise or both. There are companies that specialize in delivering turnkey IT services at a fraction of the cost of comparable on-premise systems.
How long could your organization continue to operate without its core servers? Could you last two weeks? The the city of Baltimore, MD has been without its email and payment processing services since May 7th after refusing to pay the nearly $100K bitcoin ransom demanded by the hackers that “kidnapped” their systems. In case you are one of the few people left on earth who are unfamiliar with the scourge known as “ransomware”, it’s basically a form of extortion where hackers gain access to an organizations computers and lock everyone out by encrypting the files which can then only be unlocked and made usable again by paying for a digital key.
Should you pay the ransom?
This is, pun intended, the (sometimes) million dollar question that is difficult to answer and is often situation dependent. From a security and law-enforcement point of view, authorities typically recommend not paying the ransom, but from a purely financial and technical vantage, the answer isn’t necessarily “no.” Case in point: when the city of Atlanta refused to pay a $50K ransom to unlock its hacked computers, it ended up costing them $17M to fix. With Baltimore’s payment processing unavailable, the city was unavailable take payments for parking tickets, utility bills, and process real estate sales, which likely results in huge operating shortfalls, on top of having to pay security and technology consultants a great deal of money to restore systems and data that were permanently destroyed by the ransomware attack.
Unfortunately there isn’t a security system or platform that is impervious to malware attacks, primarily because the large majority of successful hacks are the result of human error versus technical failure. And one of the biggest errors that can be avoided is making the mistake of not properly backing up your critical data and systems, which, as you might have guessed is probably the best defense against these types of attacks. Ransomware attacks can seem crippling, but with the proper backups and contingency planning, most organizations can recover quickly without having to consider the prospect of paying a ransom.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
New week, new punching bag: this time, Intel returns to the spotlight with yet another flaw in its CPUs, up to and including the most recent 9th generation processors as well as going back as far as ones produced in 2008. This week has been absolutely bananas for technology issues so I’m going to keep the literary gymnastics to a minimum. Truth be told, I’m still trying to wrap my head around the technical details of this latest exploit, but here’s a simplified explanation of what I understand so far.
What this means for you: apply updates and stay patched!
Two independent groups of researchers as well as Intel themselves have been quietly working on identifying a new, serious exploit in how Intel CPUs operate. Unlike typical security flaws that can be patched with software, vulnerabilities like this one, dubbed RIDL, Fallout, or MDS (depending on who you talk to) are a result of how the CPU was designed to operate. This new flaw, along side the two previously announced Spectre (2017) and Fallout (2018) vulnerabilities, fall into a class of exploits that are based on a core design of Intel architecture originally built to help computers run faster. Put as simply, predictive processing guesses what the CPU is going to be asked to do next and have the necessary code or data already loaded into nearby caches. Previous exploits looked at the predictions, and the latest basically looks at the guesses that turned out to be wrong or unused. Each discarded guess only contains a few bytes of data, but given a focused attack repeated thousands or millions of times, the leaked data can eventually be amassed into a significant security breach.
Interestingly enough, Intel has known about this particular flaw for an undisclosed amount of time, and has already been working with major industry players like Microsoft, Google, Apple and the usual Windows PC manufacturers to patch or mitigate the vulnerability, which may or may not already be applied to your equipment. At this point, unless you really like reading technical bulletins like this one, I’d recommend paying close attention to update notifications from your computer’s manufacturer as well as applying security patches to your various devices, regardless of their business or personal focus. As with the previous two vulnerabilities, Intel and manufacturers are being cagey about pointing out exactly which updates might be addressing this particular issue, or even if they’ve already been fixed (as many manufacturers will assert), and Intel itself is downplaying the severity of the flaw, despite differing opinions from the independent research groups. Intel discounts the severity based upon the relative sophistication required to exploit the flaw, but researchers rightly point out that though the flaw may be hard to exploit, the data it exposes is highly sensitive and previously thought completely secure.