As you are reading this, major parts of Baltimore, Maryland’s IT infrastructure are still offline, including its email system which was only just redirected to Microsoft’s Office 365 platform so that some form of email delivery could resume. That makes it over 4 weeks without email for city employees and services. For any normal business this would definitely qualify as disastrous, but is it an actual “disaster” by government standards thereby qualifying for the federal aid such a designation bestows? It’s definitely worth considering that if the IT recovery effort doesn’t start picking up steam soon, failures in critical city infrastructure could create life-threatening situations and further breaches of security and privacy in adjacent sectors that rely on the missing city services.
The Real Disaster: A failure in management and budget
While sources have reported that the ransomware attack was likely caused by a city employee falling for a phishing attack, the real failure was the city government’s utter mismanagement of their IT infrastructure, which at the time of the attack, was powered by systems built decades ago that have been chronically under-supported by a budget of less than half of the national average, and run by a series of CIOs that appeared to be, at best, in way over their heads or at worst, possibly criminal.
Unfortunately, rather than taking a hard look at their management failures, city leaders instead are trying to lay some of the blame at the feet of the federal government, more specifically the NSA who is purportedly the original source of the EternalBlue exploit (leaked in 2017) that was part of the ransomware code used to shut down Baltimore’s IT. Call me cynical, but if it hadn’t been some bit of code powered by NSA-developed exploits, it was only a matter of time before Baltimore’s poorly funded and managed IT systems fell victim to some other form of attack.
In case you aren’t picking up what this story is laying down, here are the lessons any city or business should take away from Baltimore’s “disaster”:
- Make sure you are maintaining a proper IT budget. Baltimore was spending half of what they should have been spending for a city of their size.
- Make sure your employees are properly trained on workplace technology security. They don’t need to be security experts, but they should know how to spot a phishing email.
- Make sure your critical systems are backed up and a proper DR plan is in place. A lot of Baltimore’s headaches would have been cleared up much sooner with proper backups.
- DIY IT is no longer an option for any serious business. Modern, secure IT services require professionally-maintained and monitored systems for which most businesses lack funding or expertise or both. There are companies that specialize in delivering turnkey IT services at a fraction of the cost of comparable on-premise systems.
How long could your organization continue to operate without its core servers? Could you last two weeks? The the city of Baltimore, MD has been without its email and payment processing services since May 7th after refusing to pay the nearly $100K bitcoin ransom demanded by the hackers that “kidnapped” their systems. In case you are one of the few people left on earth who are unfamiliar with the scourge known as “ransomware”, it’s basically a form of extortion where hackers gain access to an organizations computers and lock everyone out by encrypting the files which can then only be unlocked and made usable again by paying for a digital key.
Should you pay the ransom?
This is, pun intended, the (sometimes) million dollar question that is difficult to answer and is often situation dependent. From a security and law-enforcement point of view, authorities typically recommend not paying the ransom, but from a purely financial and technical vantage, the answer isn’t necessarily “no.” Case in point: when the city of Atlanta refused to pay a $50K ransom to unlock its hacked computers, it ended up costing them $17M to fix. With Baltimore’s payment processing unavailable, the city was unavailable take payments for parking tickets, utility bills, and process real estate sales, which likely results in huge operating shortfalls, on top of having to pay security and technology consultants a great deal of money to restore systems and data that were permanently destroyed by the ransomware attack.
Unfortunately there isn’t a security system or platform that is impervious to malware attacks, primarily because the large majority of successful hacks are the result of human error versus technical failure. And one of the biggest errors that can be avoided is making the mistake of not properly backing up your critical data and systems, which, as you might have guessed is probably the best defense against these types of attacks. Ransomware attacks can seem crippling, but with the proper backups and contingency planning, most organizations can recover quickly without having to consider the prospect of paying a ransom.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
New week, new punching bag: this time, Intel returns to the spotlight with yet another flaw in its CPUs, up to and including the most recent 9th generation processors as well as going back as far as ones produced in 2008. This week has been absolutely bananas for technology issues so I’m going to keep the literary gymnastics to a minimum. Truth be told, I’m still trying to wrap my head around the technical details of this latest exploit, but here’s a simplified explanation of what I understand so far.
What this means for you: apply updates and stay patched!
Two independent groups of researchers as well as Intel themselves have been quietly working on identifying a new, serious exploit in how Intel CPUs operate. Unlike typical security flaws that can be patched with software, vulnerabilities like this one, dubbed RIDL, Fallout, or MDS (depending on who you talk to) are a result of how the CPU was designed to operate. This new flaw, along side the two previously announced Spectre (2017) and Fallout (2018) vulnerabilities, fall into a class of exploits that are based on a core design of Intel architecture originally built to help computers run faster. Put as simply, predictive processing guesses what the CPU is going to be asked to do next and have the necessary code or data already loaded into nearby caches. Previous exploits looked at the predictions, and the latest basically looks at the guesses that turned out to be wrong or unused. Each discarded guess only contains a few bytes of data, but given a focused attack repeated thousands or millions of times, the leaked data can eventually be amassed into a significant security breach.
Interestingly enough, Intel has known about this particular flaw for an undisclosed amount of time, and has already been working with major industry players like Microsoft, Google, Apple and the usual Windows PC manufacturers to patch or mitigate the vulnerability, which may or may not already be applied to your equipment. At this point, unless you really like reading technical bulletins like this one, I’d recommend paying close attention to update notifications from your computer’s manufacturer as well as applying security patches to your various devices, regardless of their business or personal focus. As with the previous two vulnerabilities, Intel and manufacturers are being cagey about pointing out exactly which updates might be addressing this particular issue, or even if they’ve already been fixed (as many manufacturers will assert), and Intel itself is downplaying the severity of the flaw, despite differing opinions from the independent research groups. Intel discounts the severity based upon the relative sophistication required to exploit the flaw, but researchers rightly point out that though the flaw may be hard to exploit, the data it exposes is highly sensitive and previously thought completely secure.
Even if you haven’t read the seminal novel 1984 in many decades, you will surely recall the omnipresent “Big Brother” and the even more haunting reminder/warning that “Big Brother is watching you.” Rather than actually representing a single person (or even celestial being) readers quickly come to realize Big Brother is the result of countless numbers of citizens informing on their family, friends and neighbors in service of the Party “groupthink“. Fast forward to the present, where, believe it or not, Big Brother is watching and listening, but maybe not quite in the way Orwell had originally imagined.
“Alexa! Play doubleplusgood prolefeed!“
Most of you have come to accept that devices like Amazon’s smart speakers, Echo and it’s petite sibling, Dot, are always listening, ostensibly to be able to snap to action the second you shout, “Alexa!” But what you might not realize (or remember) is that Amazon is recording and keeping a copy of everything the device hears after you speak the trigger word. Depending on how cynical I’ve made you about technology over the years, this may or may not come as a surprise to you, and if you’ve been reading this blog for any length of time, I even wrote about this nearly three years ago. Despite very clearly dancing on knife-edge of child-protection laws in 2016, regulation has not halted or even slowed the proliferation of millions of eavesdropping, smart-devices.
If you are curious about what your own Alexa-powered smart speaker has recorded in your private home or office, have a look at http://www.amazon.com/alexaprivacy. Fortunately for our house, most of these recordings consist of teenagers ironically asking Alexa to play Despacito, our family belting out the lyrics to various Queen anthems, and desperate searches for recipes based on the contents of pantries ravaged by previously mentioned teenagers. More importantly, despite living with someone who is a staunch advocate of privacy and who has made no effort to hide that fact, our family has obviously agreed to give up some of that privacy for the (sometimes meager) convenience and amusement the device offers. We also have a Ring doorbell on our porch and have also opted into sharing some of that video footage (at our discretion) with our neighbors, again potentially sacrificing some privacy in trade for a technologically amplified neighborhood watch.
Each person and family must decide how much privacy they are willing to sacrifice in exchange for security, and keep a very watchful eye for the point at which the sacrifice escalates from privacy to the abrogation of personal freedoms. Though we aren’t explicitly told how Orwell’s Oceania transformed into the nightmarish surveillance state, it’s easy to see how they got there. The seductive lure of convenience and personal gratification is a sure-fire way to gradually erode personal privacy and security without raising an eyebrow, just as sure and slow as a stream carving a grand canyon.
GPS tracking devices on fleet vehicles have enabled transportation and shipping companies to to streamline operations and improve efficiency for decades. As vehicles have become increasingly computerized, these devices also acted as a gateway for even more data gathering, commonly known as telemetry, which naturally led to them being connected to the internet for realtime data gathering and, of course, remote control capabilities, including the ability to stop engines, apply brakes and even control the steering. And, as is the tendency for all things internet-connected, these GPS systems are vulnerable to hacking, especially if the companies writing the software do dumb things like setting the default password to “123456”.
Who would do such a thing?
You can bet that if you set your default password to something as simple as that, and even publish that fact in the app documentation, someone is going to notice and take advantage, which is exactly what a hacker did when he used this knowledge and bit of code to brute force his way into thousands of user accounts for two widely-used Android apps. Not only was he able to gather confidential user data from the mobile device on which the apps were installed, but he was also able to gain collective access to thousands of vehicles that were managed by the app itself. Both apps also included functionality that, if installed and enabled by the vehicle operator, allowed the engine to be stopped remotely, even if it was in motion (up to 12 MPH supposedly). According to the hacker himself, he had the potential to cause a great deal of chaos, financial damage and potential physical harm if he were to actually follow through on killing engines on thousands (he claims hundreds of thousands) of vehicles, he stopped short of doing so, as his intent was not to hurt individuals but to raise awareness with companies using the flawed platforms. Both apps are developed by firms located in a country that has a reputation for producing products, software and firmware with serious security flaws and alleged backdoors. It’s unclear whether this particular hacker’s efforts will result in any overall improvements in the industry, but since contacting the app firms, at least one of the companies has reached out to its customers to urge them to change their passwords.
It’s a lovely day when I get to incorporate a pun into the weekly newsletter, but not so lovely for Samsung who has faced a series of setbacks on a variety of issues with their smartphones. The latest problem has actually prompted the Korean manufacturer to recall all the review units of the Galaxy Fold, and to delay the release (originally scheduled for April 26) of the new device by at least a month. The problem? The nearly $2000 smart phone has failed within days of its unboxing for at least 4 high-profile reviewers. In this case, the failure is of the highest magnitude: the vaunted, super-wide display that is literally designed to be folded in half is dying because of this feature. Normally I’m not inclined to report on technology issues for a product that is clearly aimed at a very specific, narrow market, but I think the Fold and the others that are definitely following are indicative of an important technology trend.
Can Samsung iron out this particular wrinkle?
It would seem the primary problem behind the initial release of Samsung’s folding flagship phone is one that will be particularly difficult to solve. In order for the screen to actually fold, Samsung engineers had to circumvent features that smartphone manufacturers have been working towards ever since the “glass slab” design was popularized by the iPhone: the inclusion of a durable, shatter-resistant screen and a sealed case to protect it from moisture. The Fold’s design actually goes in the opposite direction to achieve its titular function; the screen is plastic and not sealed, allowing dirt to get behind the most vulnerable part of the phone (the “crease”). Continual improvements in the slab phone design across just about all models and price points have emboldened us to carry and use these relatively expensive devices in a casual way that the Fold, in its current iteration, absolutely cannot survive. One of the primary reasons Samsung and other manufacturers are pursuing foldable screens is because consumers like tablet-sized screens and you can bet if we could fold them up to put into a pocket, we would quickly abandon the larger, less portable counterparts immediately. I have no doubt this is a problem that will be solved, and possibly in short order, but unless you have $2000 burning a hole in your pocket, I don’t recommend buying the first generation folding smartphones until they can survive more than a few days of careful usage.
Facebook is in the headlines again, and once again, not for anything redemptive. I’d say I was almost feeling sorry for Facebook, but it would probably be more correct to say that I feel sorry for the thousands of people it employs and the millions of people for whom the social media platform is their only connection to friends and family. Despite all of the negative press, just like certain other high-profile individuals, somehow the social media giant manages to hold its dominance in the market, but for how long? This time, damaging documents have leaked that allegedly demonstrate that Facebook’s senior management, including CEO Zuckerberg and COO Sheryl Sandberg, actively promoted and supported the use of data collected by Facebook as leverage over its own partner companies and rivals, all the while building a narrative that would positively frame this activity as a means to protect user privacy.
But wait, that’s not the only thing this week.
Facebook is also in the spotlight over a rather nasty bit of negligence on its part concerning its failure to follow its own policy regarding hate speech and serious threats. Despite being arrested and charged with making death threats against US Congresswoman Ilhan Omar, a man’s Facebook hate-filled, racist profile was online for weeks until the Guardian news organization pointed out its controversial existence. At that point, his profile was removed for violating their community standards. This person had been posting racist, violent and hateful content for years, and yet nothing was done about it until it became a PR issue, which points out an obvious flaw in Facebook’s community standards: someone has to enforce them in order for them to be worth anything at all.
I’d like to say that these stories are inexcusable but expected – after all, Facebook is publicly traded and the officers of the company really only have one directive – maximize shareholder profit, but that is the true problem behind all of this. Until we have the means and the will to tie profits to ethical behavior, companies like Facebook will continue to behave only in their best interest, which, in case you didn’t realize, is making money for someone other than you and me. Obviously shining the light on them like the Guardian did in the latter instance helps us catch one or two cockroaches, but the rest just wait in the shadows until the spotlight turns to another dumpster fire somewhere else. Pestilence like racism and hate can’t be fought with negligence – it requires constant vigilance and commitment, neither of which Facebook shows any signs of demonstrating when it comes to privacy or compassion. Keep this in mind when considering whether to trust them to exclusively handle your data or news.
When Windows 10 was first announced Microsoft touted the new architecture and forced, scheduled updating as a means to keep the world’s largest computing platform secure, relevant and consistent across the myriad hardware configurations on which it is used. Many of us who had been around the block more than few times with Microsoft viewed this change with a mixture of skepticism and cautious hope that it would stem the tide of security breaches and vulnerabilities plaguing the OS. Unfortunately, that tender spark of optimism was stamped out by buggy (sometimes disastrous), unstoppable updates forced upon everyone at what seemed like the most inconvenient moment possible. To be fair, Windows 10 is definitely an overall improvement over Windows 7 and 8, especially in terms of performance, stability and security, but its relatively frantic pace in pushing patches and features before thoroughly testing them has led to plenty of high-profile disappointments.
So what’s this “one good reason” to update?
Even though I’m writing this article with tongue firmly planted in cheek, the news that prompted this particular topic is actually something everyone will find useful: Windows 10 will no longer complain about you pulling your USB drive out without going through the whole “remove USB drive safely” process. As of version 1809 (which has had it’s own share of problems since its release late last year), Windows 10 will load USB drives in “Quick Removal” mode, versus the previous default, “Better Performance” mode, which, as it sounds, means you can get to the business of pulling USB drives a lot quicker than before. Opting for the unplug-and-run lifestyle does come at a performance cost, and for larger, spinning media drives, this may be quite noticeable. It’s progress, one baby-step at a time, but hey, we have to start somewhere, right?
Lest you think political turmoil caused by social media is purely a US-based phenomenon, the world’s biggest election starts next week in India as over 800 million people prepare to vote. And as it goes in any modern country with a relatively internet-savvy voting population, propaganda, fake news and misinformation campaigns from every political party are making it difficult for voters to make objective, well-informed choices. Guess who’s at the heart of the problem? Yup, that would be everyone’s favorite: Facebook. I’d almost feel sorry for them if I didn’t know that they were at the heart of the problem from the very start, having been a major online impetus for the current ruling party’s rise to power in 2014. And now they are having to lie in what’s proving to be a very uncomfortable bed.
Why do you think it’s called “Pandora’s Box”?
Sadly, the problems that Facebook and other social media platforms faced with the Christchurch nightmare will be the same ones they face in India’s upcoming election, which will be the same problems we will face in our elections next year: regardless of the number of human moderators and fact-checkers they point at this problem, the lid will never be shut as long as Facebook and its kin continues to commit to upholding free speech. How could they do otherwise? India’s scenario is particularly difficult for a number a reasons, chief among them is India’s 340 million users (compared to the US’s 214M) and more than a dozen languages. When you consider that Facebook’s moderation algorithms and staffing were primarily developed in English, this presents a problem that they are ill-equipped to deal with, despite being pointedly directed by India’s Election Commission to police election-related postings from all parties and candidates. In an attempt to combat fake news and hate speech, Facebook has hired several fact-checking organizations to bolster their moderation efforts, but critics point out that some of the very same organizations hired to police Indian Facebook have themselves been accused of posting their own fake news. Thus far, Facebook’s efforts in India, just like here and other countries abroad, have the appearance of moving in the right direction to “put a lid on things”, but they probably already know that this particular box can’t be closed, even if they really wanted to do so. Unfortunately, fake news continues to be profitable, and until we as a civilization make it otherwise, some other company will just step into the gap if Facebook ever decides to throw in the towel.
Image by Wokandapix from Pixabay
Microsoft isn’t playing around this time: support for Windows 7 will be ending in less than a year, and a recent round of updates include a pop-up on all Windows 7 machines reminding the user that the clock is now ticking down to January 14, 2020. If you haven’t seen pop-up already, you will probably start seeing it in April. Despite Microsoft’s near inescapable Windows 10 upgrade campaign, there are still millions of computers running Windows 7, and many of you are still quite content with the 10-year old operating system. Just like your favorite pair of jeans or comfy robe, Windows 7 will start having too many holes to use without exposing yourself.
It’s time to upgrade to Windows 10.
Regardless of yours or my thoughts on the matter, Microsoft really isn’t giving most of us a choice on this. “Why does losing Microsoft’s support for 7 matter to me? I never called them for issues in the first place!” While this is probably true for most of us, the support that is being ended is not just the help desk kind – believe it or not, Microsoft did offer actual technical support for Windows 7 issues – but also halting work on the security patches and compatibility updates. What this means as we move past the end of support for 7, any security flaws or bugs that crop up will no longer be fixed by Microsoft. “Fine! We can finally stop updating!” Maybe if your business doesn’t rely on working with anyone except your own internal people and data, but for the majority of the business world, isolating your technology operation like this ends up being more detrimental than it’s worth. We are seeing major shifts in all the primary business applications away from maintaining their Windows 7 compatibility; it is extremely difficult to purchase new computers with Windows 7 installed, and you cannot downgrade new computers from 10 to 7 without major complications and technical issues. While Windows 10 still seems to have some quality control issues, overall the platform has been relatively secure and stable, with issues mostly arising when it is used on older PCs (+5 years) and with older software and peripherals. Unless your computer was purchased in the past 3-4 years, your best bet is to purchase a new computer with Windows 10 already installed, but make sure you budget in upgrades for your applications (MS Office and Adobe Acrobat are the big ticket items) and your peripherals as well, especially older printers and scanners as well. It may seem like a lot of change all at once (and a lot of money as well), but it will be a wise investment in the long run.
Image by Gerd Altmann from Pixabay




![printlogo[1]](https://c2techs.net/wp-content/uploads/2017/11/printlogo1-460x260_c.png)






