I’d like to say I’m busy watching the mid-term results come in, but actually, I’m too tied up reading all the reports of voting machine failures causing delays, confusion and most certainly some disenfranchisement. Despite plenty of media attention on the matter months ago it’s clear nothing was done, causing delays, confusion and doubt across the process in numerous states.
- Voting Machine Meltdowns Are Normal—That’s the Problem – Wired
- Voting Machine Manual Instructed Election Officials to Use Weak Passwords – Motherboard/Vice
- Voting Machine Hell, 2018: A Running List of Election Glitches, Malfunctions, and Screwups – Gizmodo
- Why voting machines malfunctioned on Election Day – Vox
- Voting machine errors already roil Texas and Georgia races – Politico
- Voting machines can be hacked in two minutes, expert warns – Fox News
We’re talking about it, but it’s still being ignored
Sadly, Election Day in the US once again illustrates my point about technology and humans: we are not perfect, nor are the machines we build and use. Despite this reality being clearly demonstrated in the above, we have the hubris to believe that our technology is somehow immune to our own frailties. In many ways, technology clearly allows us to overcome limitations and achieve spectacular things, but it also amplifies our shortcomings, and as we’ve seen numerous times elsewhere it also enables the less virtuous to exploit those shortcomings.
To change things, we need to expect better from our leaders – business, political, and spiritual. They need to understand critical technologies or admit when they do not and hire experts to help shape and implement policy that advances humanity as whole and not just financial interests. It’s OK to admit to not understanding technology, but if it’s an important part of your job or responsibilities, that continued lack of understanding could cause irreparable harm. Change begins with you, and putting in the effort to understand a technology also grants the benefit of being able to spot others who do not, an advantage that is handy in business and politics.
If you’ve been reading my blog for any length of time, you’ve seen me describe the current state of security in a variety of colorful ways, but my favorite analogy is the one where I liken ourselves to jugglers with many objects in the air and with more being tossed in every minute by hackers and criminals. We lose if we drop a single item, but there is no “win” condition for juggling. If anyone has enough hands and arms to keep a lot of things in the air, it should be Facebook, and they have a lot going on, but in the end, they have come up short on another promise: transparency in sponsored advertising. Facebook’s never ending torrent of fake news was supposed to be somewhat dampened by a tool rolled out in May of this year called “Paid for by” which was built to bring some accountability to Facebook publishing tools heavily abused by political trolls leading up to the 2016 US elections, and surrounding numerous other political events since then.
Transparency or Lip Service?
Just ahead of the 2018 midterm elections, Vice.com investigators, through the “Paid for by” tool on Facebook, applied to purchase ads on behalf of all 100 US Senators. All 100 applications were approved, despite the ads being shared from fake political groups built specifically to test Facebook’s transparency tool, and the very obvious fact that Vice investigators are clearly not actual spokespeople for any sitting US Senator. The same tool also allowed the Vice team to buy ads on behalf of Vice President Mike Pence and the Islamic State, but curiously enough, not Hillary Clinton. Based on the amount of effort the Vice team exerted to circumvent the “Paid for by” verification tool, it’s clear that Facebook put an equal amount of effort into building this tool, i.e. virtually none. It’s unclear if the “Paid for by” tool was a token effort put up by Facebook to appease shareholders and lawmakers, or if the problem of fake news on Facebook is truly unsolvable, but if an organization as big and as powerful as Facebook can’t (or won’t) solve this problem, the only other solution is to completely ignore it as a source of news.
And that’s the other problem with elephants on the internet: because of their size, they are hard to ignore.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
There is at least one good thing to come from the increasing number of residential surveillance cameras: we are getting real-time, high-definition looks at criminals in action, like the recent video recording of a Tesla being stolen via an already well-known fob spoofing technique, something I wrote about over two years ago. The unsettling video is only made slightly less so when the car thieves struggle with disconnecting the charging cable from the car, highlighting the irony that a simple electrical cable was almost a better deterrent than the actual key-less entry system protecting the car.
Most security breaches are caused by carelessness or laziness
I’m certain there are statistics to back up this claim, but I’m also relying on decades of anecdotal experience when stating that most security breaches are our own damned fault. In the above-mentioned incident, the victim admitted to neglecting to protect the vehicle from this sort of theft with Tesla’s “Pin to drive” feature (equivalent to not using a password on your computer or phone), but it’s unclear whether that was because he wasn’t aware it was necessary, or just never got around to setting it up in the first place. Most of the breaches I encounter typically start with someone clicking on a link they shouldn’t have, and 9 times out of 10, when I debrief “patient zero”, they are able to pinpoint the exact moment they screwed up. When I ask them why, the answer is one of these reasons:
- I was in a hurry,
- I didn’t want to bother someone else,
- It looked OK,
- I thought my antivirus/firewall/karma/etc. would protect me,
- My data is backed up, right?
Sadly, none of these, even the last one, is a good excuse, and most of my clients are self-aware enough to this invaluable learning moment to heart. Sadly, despite one or more valuable lessons delivered, even the most paranoid among us will be susceptible to momentary lapses in vigilance and judgement. After all, we are only human. This too is a valuable lesson, and not an excuse to give up in the face of daunting probability. Knowing that we are our own worst enemies will keep us on our toes when we need it most, and if we bolster our defenses with the proper security technology, we are much less likely to be vulnerable when our guard inevitably falters.
Image courtesy of Miles Stuart from FreeDigitalPhotos.net
I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.
A small percentage of Windows users have opted into the “Insiders” program which grants them early access to new features, bug fixes and content updates for Windows 10, which as I’m sure all of you are painfully familiar with now, updates very frequently. The object of the Insiders program is to “beta test” new updates to the operating system before they are pushed out to the rest of the world, presumably to catch bugs before they can affect the more than 700 million devices that use Windows 10. Well, they caught a bug, but not before it erased data on an undisclosed number of Insider machines.
What this means for you – Get backed up!
If you aren’t an Insider – you have to opt into the program – you only have to worry about fully tested updates destroying your data. I’m only being somewhat sarcastic here, as many of you have experienced some form of loss (data, time, monetary) recovering from the forced death march that is Windows 10’s update cycle, and at least one of my clients experienced a complete wipe of all of his installed applications, necessitating hours of reinstallation work. It’s important to understand that Microsoft, just like any company powered by humans, can and will make mistakes, and those mistakes will cause problems for you. Fortunately, you can counteract this uncertainty with a simple practice: back up your data. There are many options to choose from in this area – some of my clients only work on and store important data on a central server that is backed up, or, if that option isn’t available to them, they use some form of cloud backup, either self-managed or provided to them by C2. Just the other day I had a client suffer a complete data wipe (rare, but it does happen) due to a crashed Windows profile (possibly caused by a Windows update) but they were backed up right until the crash and were able to recover their data, albeit slowly. The backup paid for itself in spades that day, and saved my client from catastrophic loss.
Back when I first heard about Facebook I was working for a private university known for its “dry” campus. I was asked to consult on the case of a student who was being disciplined for violating the no-alcohol policy because a picture had been discovered of them buying booze at a nearby supermarket. It had been uploaded by the student’s friend to a hot new website called Facebook. I distinctly remember discussing this with staff and faculty at the time, predicting, “This is going to get a lot of kids in trouble.” There was discussion of banning access to the site, but filtering internet content back then wasn’t as straightforward as it is now, and the discussion was tabled with a promise to review the issue at a later time. Fast-forward to the present, where Facebook is still getting a lot of people in trouble, and themselves as well.
From the frying pan, to the fire, to…incinerator?
It might be hard to believe, but it was only June when we had to air out the latest load of dirty laundry from Facebook. Prior to that, they have been blog subjects seven times this year alone, and none of them were for something good! I’d say this month’s two-fer entry might be their pièce de résistance of colossal cock-ups, but there are still 90 days left in the year, and Facebook seems bent on setting some sort of record for destroying themselves.
First, they were caught red-handed letting advertisers use phone numbers provided by users for authentication purposes, something they had previously denied. To add insult to injury, it’s also come to light that they will also target individuals through contact information uploaded by their friends through the Facebook app, even if the individual never provided any sort of consent for such use.
If that isn’t enough to get your blood boiling, how about 50M Facebook users having their accounts compromised? Rather than the old-fashioned password hack, attackers exploited a bug in Facebook’s “View as” feature which allowed them to essentially steal the authentication token used to provide continued access after you’ve initially logged in. Think of this token as a VIP wristband you might wear at an event that also gets you access to the backstage. This token not only provides you a quick login to Facebook but to dozens of other connected services, such as Instagram and WhatsApp, that allow users to authenticate through Facebook instead of creating a unique login and password. Just like the wristband, Facebook only looks at the token and not the person using it, to determine what they are allowed to access, so you might get an inkling of why it being stolen is kind of a bad thing. The investigation is still ongoing, but according to Facebook, no passwords or credit cards were stolen, and it doesn’t look like the perpetrators of the September breach used their “wristbands” get into the various third-party platforms it could have granted access to, but I’d put even money on Facebook having yet another, “Wait, hold my beer,” moment, so don’t put the pitchforks too far out of reach.
Unfortunately for the two billion humans who are still trying to get some sort enjoyment (or livelihood) out of Facebook, there really isn’t any platform that comes close to being able to replace it. Your choices are “deal with it” or go cold turkey, the latter of which I don’t see any of my Facebook-hooked friends doing any time soon. If you’ve tied your various other online services to Facebook’s login in the pursuit of convenience, it only makes giving up Facebook that much harder and further illustrates just how dangerous this type of practice can be – Facebook login gave everyone a shovel, and quite a few people dug a hole that they have no idea how to get out of. Sadly, not climbing out of that hole and permanently putting the shovel aside essentially rewards Facebook for their negligent security practices, something that we should not do if we ever want the service to be something more than a way for advertisers and hackers (and Facebook!) to exploit for their own profit.
Microsoft has just announced the general release of Office 2019, the latest version of its “on-premise” productivity suite. Since the debut of Microsoft’s subscription version of this suite, Office 365, the year-numbered designations have been used to delineate the two product lines, and up to version 2016, the two versions have been functionally identical. According to Microsoft, as of 2019, the “on-premise” version will no longer maintain feature parity with Office 365 going forward. Of course, details are still fuzzy on exactly what that means, but based on take-aways from the Microsoft Ignite Conference held in Florida earlier this week, the main differentiator appears to be cloud AI-based features, like enhanced search and internet-connected data.
The classic real estate question comes to software: Rent or Buy?
For most business users who are approaching the cloud at a more measured pace, this question is probably still easily answered by doing a quick financial calculation: how many usable years will I get out of the numbered version of Office compared to the subscription cost of an ongoing 365 license? For some of my clients who are still (desperately) clinging to version 2010, their ROI has clearly exceeded everyone’s expectations, but as many are finding, it does come at a cost – missing features, reduced security and a growing incompatibility gap will at some point force an upgrade, often when the timing is most inconvenient. Up until now, the primary benefit of the subscription based model for Office has been the lower up-front cost of acquiring the software and the ease of reinstalling the software as needed. Microsoft has also sweetened the pot for some subscription plans by allowing multiple installs of the product on as many as 5 computers per license, which definitely improves the ROI over the long-haul. As more functionality and data moves to “the cloud”, the calculus of licensing software may tilt towards renting, especially since the software makers seem intent on focusing all their future efforts (and money-making) towards this model.
Image courtesy of Pixomar at Freedigitalphotos.net
Back when the internet was relatively new and essentially unspoiled, there was a great deal of hype around the “connected home” which was to include every major appliance, all of your entertainment electronics, home lighting, environmental controls, and security. Everything it would seem, including toilets, which some manufacturers are still trying to make happen in 2018. One thing that had zero trouble becoming extremely popular is the internet-connected security camera, which has exploded in growth (as predicted) and shows no signs of stopping as the devices become more affordable and easy to install. The downside, of course, is that the low-cost comes at a price, which is most often achieved through poor quality control. Back before the days of solid-state everything, this used to mean shoddy wiring and terrible video resolution, but now, unfortunately, it seems to be coming at the cost of proper security.
Peekaboo, I hack you!
Once again, an overseas firmware manufacturer in Taiwan has announced that a recent version of its firmware used in an undetermined number of camera models has two significant bugs that, when exploited, can lead to complete root-level control of the device, which, in laymen terms means, “all your cameras are belong to us!” Any device, inside your network, that can be compromised and controlled by an outside, unauthorized agent is the very definition of bad news. Early estimates put the number of affected cameras at 180,000 to 800,000, which is really shorthand for “we don’t really know how many devices are impacted,” and is based on the list of partners the company released that might be affected by this vulnerable firmware. While the firmware maker was quick to issue a fix, the patch itself would need to be applied manually, and it’s not clear how that fix would be distributed, nor how the camera owner would be notified.
At the moment, there is no list of affected camera models, so unless your specific IP camera actually tells you what firmware it is using in the built-in web interface (most of them don’t), you can’t even check for yourself. You will have to wait to see if your camera manufacturer issues an update for your device. And let’s be frank, most folks, even yours truly, aren’t watching for firmware updates for our IP cameras, and I would hazard a guess that most owners of the consumer-grade IP cameras likely affected by this vulnerability haven’t even registered their ownership with the camera manufacturer, so unless you (1) know the model of the installed camera and (2) go look up on the manufacturer’s website to see if an update even exists, it’s likely you will never know if your camera is vulnerable until after it’s been hacked. Unfortunately, we have enough trouble keeping our computers and mobile devices up to date without having to keep track of the growing Internet of Things, but sadly, it looks like this is exactly what our next challenge will be.
C2 Technology is in the business of providing technology support and consulting to other organizations, and Google’s many tools are indispensable to me and my team. Our email is hosted by Google, our searches are powered by Google, and it even helps me keep track of where I’ve been in the past week, and as many of you know, I am all over the map, seven days a week. I do this using the very handy “Timeline” feature provided by Google and my Android phone’s GPS. But I do all of this knowing full well that Google is literally tracking everything I do, and even being as familiar as I am with the industry and how data collection works, I can still say with complete confidence that I don’t know half of what Google is actually tracking about me, and probably even less about the several dozen other technology platforms I interact with on a daily, even hourly basis. And if I, a technology consultant who lives and breathes technology, can’t keep track of the data that other companies are collecting about me, what hope does that leave for the average person?
“Be better” Google?
An Associated Press investigation caught Google red-handed tracking users’ locations even when users disabled “Location History” in their device’s settings. They didn’t even try to apologize, instead insisting that turning off Location History does in fact disable that particular function (which tracks your movements for apps like the above-mentioned Timeline function), but that other Google apps may have location-aware services that will gather data in order to “improve people’s experience…” and, guess what, those apps have controls that will allow you to disable location tracking for that particular app. How many of the apps and websites that you use on your mobile device are tracking your location? Definitely more than just the Maps app, and the only way to turn off Google’s tracking as a whole is to “pause” a setting in your Google account called “Web & App Activity”. As many of Google’s critics rightly point out, the obvious assumption people will make when disabling Location Tracking is that location tracking is turned off everywhere, so using vague words and splitting semantic hairs is disingenuous at best, and in the EU where GDPR was implemented to curb this type of double-speak (among many other things), it might actually be a violation. Maybe Google needs to embellish its (seemingly long forsaken) motto, “Don’t be evil” to include some specifics. The above practice, while maybe not “Evil” in the traditional sense is still pretty slimy and clearly designed to benefit the company and not its customers.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Two separate reports have come in this week detailing the increasing tide of cyber attacks intending to sow politically-motivated disruption through the spread of misinformation and by targeting specific political organizations and government bodies. Microsoft was first to the gate with news that its Digital Crimes Unit (bet you didn’t know they had that!) executed a court order to disrupt new website domains that were targeting 2 well-known conservative think tanks, three that were intended to act as possible spoofs of legitimate Senate services, and one targeting Microsoft itself. In a similar vein, fellow tech titan Facebook scrubbed more than 600 accounts, pages and groups this month that were created by both Iranian and Russian actors to disseminate misinformation aimed at creating divisive influence on a wide variety of political issues both here in the US as well as Latin America, the UK and the Middle East.
What does this mean for you
In case you haven’t been picking up what I’ve been laying down for months, the most important thing for anyone to do in the face of increasing campaigns of purposeful misinformation and repeated bombardments of fake emails and impostor websites is to always have your critical thinking cap square on your head. If you are reading a news story that seems controversial, perhaps corroborate its contents by checking other sources, including ones that might not be aligned with your particular viewpoint. Received an email with an attachment that seems important, but you can’t quite remember if the sender is someone you actually worked with? It’s probably because you didn’t work with them and the attachment is a fake. Always err on the side of skepticism. The volume of information we are receiving on a daily basis is being used against us as camouflage and the only way to combat it is to be ever vigilant and never, ever skimp on security. That means check and double-check the source (news, emails, attachments, everything), and if still in doubt, call in a second opinion from someone you trust to give you another point of view. And always make sure your malware protection is intact, your passwords are unique and your data is backed up.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net