I think it’s safe to say that many of us would have very much liked Samsung’s sexy new iris recognition feature on their new Galaxy S8 smart phone to be more than an over-used movie gimmick. Sadly, like its previously defeated brethren fingerprint and face recognition protections, it too has proven to be fallible, and not in a gory, Hollywood-esque fashion, but in a mundane, easy to implement way. The German security team Chaos Computer Club has published its methodology demonstrating the bypass hack, which involves the use of a camera with night-vision capabilities and a contact lens. Yes, you read that right. This $750 smart phone can be defeated by taking a picture of the owner’s face, printing out a properly sized picture of the eyes, and then placing a contact lens over the iris in the picture.

What this means for you

Unfortunately, we still don’t have the magic bullet solution for securing our mobile devices. And by “magic” I mean a method that is both easy to use as well as highly secure. As I’m sure you’ve personally experienced, “convenience” and “strength” are on opposite ends of the security teeter-totter. Tip too far in one direction and the opposite suffers. Currently the most secure method is multi-factor authentication, which requires at least 2 different forms of identification to unlock an account or device, and on the opposite, you have methods like Android’s Smart Lock which can keep your phone unlocked based upon its proximity to known devices like your home WiFi or your car’s Bluetooth connection. The safety implications of the latter are fairly obvious, but can be useful when considering the various scenarios and inherent safety risks. Using Smart Lock to keep your phone unlocked while you are driving is fairly secure, and actually is a form of multi-factor authentication: it requires the presence of the phone and your running car. Having both stolen at the same time could happen, but unless you are someone who tends to forget their phone and keys in the car, highly unlikely. When deciding on how inconvenienced you are willing to be, consider what sort of data and services a thief might have access to on your unlocked phone. A few more key presses is still more secure than bio-metrics at the moment.

Famed painter and TV personality Bob Ross was beloved for his soothing instructional style and effortless technique, but he was also well known for referring to his occasional painting mistakes as “happy little accidents” which would quickly be transformed into art. In the technology industry, “accidents” are rarely happy and even the little ones have a tendency to “go big” way too often, but this past weekend a British security researcher for Ars Technica briefly held back the WannaCry horde purely by accident, possibly long enough for Microsoft to rally and release an out-of-band patch for the old operating systems that were being hit hardest by the malware.

Tell us a story, Woo!

I’d like to say that his exploits would make for a great Hollywood movie, but that would be a happy little lie. Instead, the researcher known as “MalwareTech” registered a domain name he found in the code of WannaCry as part of standard operating procedure. Contemporary malware often uses random/junk domain names to host command and control infrastructure used to direct activities of their bot armies, and security researchers like our hero often register any unregistered domains they find in malware code in order to “sinkhole” infections and dismantle bot armies built around domains now under the control of the good guys. Think of it as a virtual sting operation. Usually this would put a small dent in the overall cyberattack, but in this case the WannaCry malware stopped in its tracks as, in this case, the domain was designed as a kill-switch. Once the malware saw that the domain actually existed on the internet, it was programmed to stop working.

Sadly, this wasn’t the triumphant conclusion to an epic trilogy, but the dark, middle chapter in the ongoing war: shortly after the accidentally won respite, new variants of WannaCry started propagating sans the kill-switch, and the battle is rejoined. Fortunately for the “good guys” Microsoft issued emergency patches for Server 2k3 and Windows XP and several other End-of-life operating systems still in wide use around the world, but this desperate Hail Mary only prolongs the slow slide into complete obsolescence for some companies that foolishly cling to unsupported technology in a classic example of “penny-wise, pound foolish.”

Despite the brief, shining moment of hope, the kill-switch didn’t magically undo the thousands of encrypted hard drives already kidnapped by WannaCry. Unless they have backups of their data, the victims face the hard choice of paying the ransom or wiping it all out and starting from scratch. And even if they are able to restore from backups, will the sting of this attack be enough to galvanize change, or just another Sisyphean trudge up a well-worn hill?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Last week, reports started surfacing about an unusual phishing attack that was spreading via Google docs. It was unusual in that it was spreading via a previously undiscovered weakness in Google’s typically tight security, as well as not seeming to have the expected signatures of a traditional phishing attack, eg. stealing your logins and passwords. In this particular case, the malware’s primary objective seems to have been to spread by stealing and using your Google contacts to propagate. It was also deceptively benign looking, as it used Google’s own authentication interface and a fake app named “Google Docs” to trick victims into allowing the privileged access.

What this means for you:

According to Google, less than 0.1% of its user base was affected by this scam, but when you do the math, that may equal as many as one million Gmail users. This particular attack spread quickly, primarily because it came from a known contact, and utilized a legitimate authentication process to grant access to a fake app. Thankfully, Google was able to close up the vulnerability within an hour of discovery, preventing what might have been a much larger calamity.

Coincidentally, a similar phishing attack actually hit one of our clients that same week. This attack, while not nearly as clever as the above, still used authentic-looking text and images to trick my client into giving up a password. It was convincing enough that it didn’t occur to him that it was an actual scam until he contacted the sender a few days later and found out, to his chagrin, that it wasn’t a legitimate request.

Simplifying the exchange of information is actually one of the greatest benefits that the internet has wrought, but as can been seen, the process has become so commonplace and taken for granted, that when trusted systems are undermined, humans are easily fooled. Unfortunately, the only way to combat this weakness is for us to be ever vigilant and distrustful, which is doubly hard when we see a known contact’s name at the bottom of a fake invitation. The hackers only have to get us to let down our guard once and they will be on us like piranha. Always stop and think before granting access to anything, especially if its the keys to your email kingdom.

In recent weeks we’ve reported on the largely unnoticed cyber warfare being fought among the Internet of Things (IoT) – “unnoticed” primarily because the IoT consists of devices which are meant to be left unattended, and as such are often compromised for long periods of time before someone realizes something is wrong. Another quiet war is being fought on another technology front that for many, many organizations is also left to run on “auto-pilot”: websites. I use the term “fought” loosely as the hackers aren’t really encountering much resistance from website owners. With a handful of exceptions, the majority of our clientele don’t rely on their websites for core operational or revenue generating processes, resulting in the site languishing in various states of disuse that could easily be envisioned as having gathered a thick layer of dust. As with any complex piece of equipment not maintained on a regular basis, this can result in malfunction ranging from inconvenient to downright dangerous.

What this means for you

In the most benign instance of a website being hacked, visitors may be presented with broken or malformed pages, or even a “not found” error. From there it only gets worse. Lately the variants have either been politically-driven defacement where legitimate content is replaced with radical ideology messages, or malicious hidden scripts that redirect visitors to spam sites that will attempt to further hijack your computer with malware and fake virus alerts. None of these situations bode well for clients or prospects, and even if visiting your compromised website doesn’t result in any harm to the visitor, it still damages your organization’s reputation.

Many organizations have built their web presence on one of a small handful of content management engines like WordPress or Magento, which, while powerful and flexible, are very complex and require frequent updates to patch security vulnerabilities. On top of this, the underlying technologies on which the engine relies also need to be maintained on a regular basis. Any lapse in the cadence of updates and monitoring can result in an opening that can (and will) be exploited, resulting in a hacked website. Recovering from this type of compromise isn’t trivial. Search engines like Google and Bing are now keeping track of sites that are hacked, and showing them as such in their search results, or even de-listing sites if enough people complain about getting infected from a compromised URL. Getting yourself off the blacklist is an exercise in patience, and if you miss even one bit of malicious code, can result in lengthy delays in getting an “all clear” from Google.

The take-away: don’t forget about that website, even if it isn’t a key revenue generator. Just like any other piece of equipment used to power your company, neglect could result in failure and even damage to the company itself. If you don’t want to budget for upkeep or bring a site to current security standards, it’s often better to decommission an old site to prevent it from being a future problem for your company.

Image courtesy of nuttakit at FreeDigitalPhotos.net

Following the advent of the Mirai virus that dragooned over 100K web-connected security cameras and NVRs to form an attack botnet, a hacker wrote a bit of malware dubbed BrickerBot that also targeted insecure devices like the ones vulnerable to the Mirai malware. Unlike Mirai, the botnet formed by the BrickerBot malware was used to actually disable their targets before they could be drafted into Mirai’s botnet. Unfortunately for the owners of these devices, BrickerBot disables the device by “bricking” it, rendering it permanently unusable by wiping or scrambling the devices firmware. The hacker behind this gray-hat sabotage is claiming more than 2M devices have been taken out of the fight, which is continuing to escalate with new variants of BrickerBot, now up to version 4.

What this means for you

Among the many things that the internet has wrought, globally accessible markets and supply-chains have produced a cornucopia of powerful technology devices that are relatively easy purchase, install, and use. But as with all markets driven by a mad race to the bottom in production costs, quality suffers, and with it, security. The above-mentioned devices are vulnerable not because of what they are, but how they were programmed, assembled, or configured. While the general consensus is that the vulnerabilities are largely due to sloppy coding or ignorance, there is also the concern that because of where the parts were manufactured, there might be purposeful intent to include back doors and data-snooping to aid state-funded espionage. Your take-away’s from this should be:

1. Just because it’s cheap doesn’t make it insecure, but there is a higher likelihood that it might be.
2. Just because it’s expensive doesn’t make it secure. Never assume high-price equals bullet-proof.
3. Never use the default passwords on any device, regardless of whether it’s internet connected or not.

When considering a DIY security system that includes internet-connected devices, at minimum make sure you check the reviews on a product to ensure there aren’t known vulnerabilities. Despite the above attacks that occurred last year, some of the devices known to be vulnerable to Mirai are still being sold! If you have any concern at all or can’t spend the time to investigate security system hardware, you should always consult with an industry professional. Just because you can buy legal document templates online or view a video on how to install a toilet does not make you a lawyer or plumber. The same goes for security systems, video cameras and network video recorders.

Most reasonable people know they are not perfect, and even accept that they don’t need to be, but it doesn’t stop us from continually striving to improve. We use technology to do things faster, longer, further, and any number of other “-ers” you can think of, typically in the name of being better. The fundamental reason technology exists is to provide tools that extend our abilities beyond that of which we are humanly capable. Technology is a primal multiplier of our own capabilities, good and bad, and amplifying the latter can lead to disastrous outcomes.

Here comes the technology soapbox!

I work with a lot of people, and as you might imagine, none of us are perfect. I see these bad technology practices often enough to know that every one of us is probably guilty of at least one or more of these bad habits, some of which are nasty enough that not breaking them could have serious consequences.

1. Not securing mobile devices and laptops with encryption and passwords or pins. Unless your device is a pure entertainment device with zero sensitive information, you should be locking your devices. It’s inconvenient, but so is having your private info leaked onto the internet. Don’t think your info is worth leaking? How about your client’s email correspondence or that private conversation with your family and friends? You may think you have nothing to hide, but the people you interact with on your device also have a say in that privacy decision.
2. Using insecure passwords for important accounts. You know this is bad, I don’t even have to explain why. And yet I remind people everyday the importance of using strong, unique passwords that are frequently changed. Breaking this bad habit is hard, but it’s just one of those things we have to do.
3. Poor file organization. Very few of us fall into the minority of computer users who stick with a system of organizing all of their documents. A large number of us fall into the category of using our Desktop as a catch-all, and since it can’t overflow onto the floor like real paper, it can get really bad without warning. File that stuff away so you can find it later when you or someone else needs it.
4. Poor email management. The email monster will eventually overwhelm even the most experienced technology veteran. Email has been around a long time: we’ve had decades to build up many bad habits in this category, but the number one is an out-of-control “Unread Count.” If you can no longer use that number as a gauge of what needs to be done, you are losing out on a valuable tool.
5. Read (and think) before clicking. Most of us have been using computers long enough now that it’s a reflex to click buttons, especially if they say “OK” or “Continue”, and often that leads to disaster. When a dialog pops up or a strange email link presents itself, stop, read, and consider your next action. A minute of critical thinking can make the difference between “delete” and “malware infection.”
6. Infrequent or no data backups.  This one still surprises me. Very smart people are still making poor choices in regards to securing their data. Backup services are so easy and inexpensive there is literally no excuse to not back up your data.
7. Relying on technology to be infallible. Fortunately, this seems to be a habit that is slowly being hammered out of everyone, if only through the constant media exposure of all the data breaches and hacks. Accepting that technology can fail isn’t admitting defeat. Instead it’s a core belief that leads to using it more effectively – understanding and accounting for limitations of a system is the the “yin” to technology’s “yang”.

Image courtesy of atibodyphoto at FreeDigitalPhotos.net

When I attended Cal State University Northridge over twenty years ago, I was already well into my career as a technology consultant. Instead of pursuing a degree in Information Systems or Computer Engineering I chose to complete my degree in English Composition, not because I didn’t love technology, but because the courses offered in most university technology programs were already outdated, even antiquated by the standards of the time. I remember clearly the course that cemented my decision: “COBOL Programming” – offered in 1990 as a requirement for several technology degrees. At the time, COBOL would have been 30 years old, and even a young, wet-behind-the-ears consultant knew that this platform couldn’t possibly be in use much longer. Sadly, this has not been the case, and now America’s biggest banks are in a race against the clock to replace COBOL-backed infrastructure with more sustainable technology.

What this means for you

Despite the continuing, strident need for better security on all network-based services (banking systems fall definitively into this category), many of this country’s largest financial institutions rely on technology that was developed in 1959 and has been held together by a dwindling cadre of COBOL engineers and consultants, some of whom are long since retired, and whose ranks are actually being thinned out by the final arbiter of obsolescence: death. While I’m fairly certain C2 clients aren’t reliant on ancient technology like COBOL, there are plenty of businesses both big and small who are leaning heavily on older and even officially obsolete platforms for core business processes, if only because they haven’t budgeted for that platform’s replacement. The important lesson to learn here is that rather than having your hand forced by things like complete lack of support, planning for replacement of systems should be a critical part of your business planning every year. The financial hit may be significant, but it will be controlled and planned versus pouring emergency money into a dying system to keep the lights on while madly scrambling to find a replacement.

As a parent, I fight a constant battle with my daughter about whether she is dressed appropriately for the day’s weather conditions. Even though we are making slow progress as she matures and is starting to apply experiential learning to her decisions, there’s still a lot of back and forth, “This jacket will be too hot later, but this sweater is not warm enough now,” and then forgets to bring either one as we rush out the door for school. This interchange is strikingly similar to exchanges I have with my some of my clients who, while being mature, successful business professionals, are still learning how to prepare for the digital equivalent of bad weather. Fortunately for them, you can tackle it like you would approach cold weather – handle it in layers.

Whatchu’ talkin’ ’bout, Woo?

Unlike the weather, computer security isn’t likely “warm up” anytime soon, so you’d better bundle up. Here’s how you should be layered:

• Layer 1: Workstation antivirus – Never turn it off, never remove it. Also note that using multiple antivirus applications is never recommended. More does not equal better in this case. It’s like wearing two pairs of pants – you can do it, but it’s definitely going to slow you down and going to be very uncomfortable. In the case of a computer, it might even prevent either product from working effectively.
• Layer 2: Workstation antimalware – Not always the same as “Layer 1”. Some products handle both, such as Webroot’s SecureAnywhere which we use for our clients. Some, like Malwarebytes or Microsoft’s Defender, are meant to be used in concert with an antivirus product. The lines are blurring between viruses and malware, but these products typically focus on adware, spyware and software not considered malicious, but of questionable utility or intent.
• Layer 3: Workstation firewall – even if your computer is behind a perimeter firewall, having a computer firewall in place can provide extra protection, and if it’s programmed properly, will rarely interfere with regular operations. Some products like SecureAnywhere include their own firewall, but even Microsoft’s built-in firewall is better than nothing.
• Layer 4: Perimeter firewall – this typically resides between your computer and the internet. Most routers provided by ISP’s include a basic firewall, which again, is better than nothing, but a professionally managed and maintained, dedicated firewall is like the difference between a wall made of wood and one made of steel. Also be aware that most store-bought routers with firewalls typically don’t include the next 2 layers, primarily because they are targeted for consumer use, not business.
• Layer 5: Gateway antivirus/antimalware – though not as common place in the SMB market, firewalls with built-in antivirus can scan and quarantine inbound (and outbound) malware as users behind the firewall come across it in their internet wanderings.
• Layer 6: Gateway Intrusion Detection/Protection services – often found alongside gateway antivirus, IDS/IPS will actively protect your network against focused attacks on your network by looking for well-known attack vectors and patterns and blocking them as they are aimed at your network.
• Layer 7: Email server spam and virus filtering – Even if you don’t have Layers 5 and 6, you should definitely have this layer. Due to the nature of how email is delivered and accessed, its often possible to sneak malware right by the other layers via email attachment, and as many of you have personally experienced, this is the digital equivalent of the Trojan Horse. Catching malware before it even gets anywhere near your network is nigh as important as Layer 1.

Don’t wait for the security weather front to clear – this storm is nowhere near spent. If your environment is properly geared to survive a long, dark winter, your business can look forward to a warm, bright future.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net