Hawaiians got a small taste of cold-war nostalgia last week with a false alarm that warned of an imminent but non-existent ballistic missile threat. While authorities were relatively quick to clarify the lack of impending doom for the tropical islands, they could not forestall the sharp criticism from many fronts, including North Korea who was probably glad for a moment to not be the brunt of global scorn. At the crux of the 38-minute gaffe: a terrible user interface and-surprise, surprise-a human.
What we should take away from this
Aside from the uneasy reminder that North Korea appears to be a button-push away from making this false alarm into a very real one, this unfortunate mistake gave us a glimpse into a critical technology system (poorly) designed by humans. While it may be psychologically useful for us to shake our heads and make jokes about the government’s tendency to award crucial projects to the lowest bidder, Hawaii’s recent tour of nuclear apocalypse came courtesy of a system undoubtedly produced by such thinking. “Lowest bidder” and “technology” rarely result in quality in which you would entrust your business, so why should it be any different for our most critical technology platforms, just because they aren’t profit centers? The next time you are evaluating a technology purchase, make sure your budget matches the importance of the purchase.
It’s also important to note that for as much as we depend on technology to do everything from getting us to work, keeping us safe, and moving the human race forward as a whole, it has yet to replace or even supplement one very critical human trait that seems to be in short supply these days: common sense. A moderate investment in training your people on the reasonable and SAFE use of technology will pay off dividends far in excess of your costs, and can prevent panic-inducing moments like Hawaii’s False Missile Alert.
It seems that while most of us aren’t sorry to see 2017 in the rear-view, if recent news is any indication, 2018 isn’t shaping up to be any brighter for technology. My outlook on security for SMB technology is mixed at best – I’m certain we will see an escalating amount of attacks coordinated by organized and well-funded teams pursuing both criminal and political agendas, and we will continue to see the rise of propaganda in social media presented as facts-based journalism. On a more positive note, there are still plenty of technology options for SMBs that give them access to the same tools and software that the big boys use, but as with real life, graduating to an internet-savvy business world means preparing for an environment full of sharp edges.
To get you ready, I recommend the following technology resolutions:
- Back up your data. This was #1 last year, and it will be #1 next year. Not just to a hard drive you keep right next to your computer or server, but offsite, and regularly updated. Data loss is not just a possibility – it’s an eventuality. But it doesn’t have to be fatal.
- Use strong, unique passwords. The standards have changed, but the concept remains the same. Don’t use weak passwords, and certainly don’t use them for multiple, critical sites or services. Get a password manager to help keep track of them.
- Secure your mobile device, including laptops. If you check email, correspond with friends, purchase goods and services, take photos, blog, socialize, whatever, put a password on it. Can’t get the fingerprint sensor or face scanner to work? Sorry charlie, put a password on it. Even a 4-digit pin is better than nothing.
- Don’t value convenience over security. Being secure is hard work, but recovering from an attack or malware infection is ten times harder. Don’t learn this lesson the hard way.
- Protect your technology in layers. Maintain malware protection and firewall on your workstations. Encrypt drives on mobile devices. Set up malware and firewall protection for your network. Backup your data (important enough to say it twice). Add malware protection to your email service. Train your employees on proper security maintenance. Every layer is additive and creates a strong defense on all sides.
The internet continues to be a major engine for both economic and civil change, and the world’s powers clearly recognize this. Many battles are being laid, fortifications are being built, and skirmishes are already in the open. Like tense borders between countries, this can make the technology landscape risky and sometimes even toxic. It’s not time to head to the bunkers yet, but you should definitely be diligent in protecting your own technology territory. The internet has gone from pristine frontier to a heavily populated and increasingly polluted environment, and if you don’t take necessary precautions, your organization could end up catching a nasty infection with long-term health implications.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Let’s just start 2018 with a bang, shall we? If you thought Intel’s mind-boggling security flaw of late 2017 was a jaw dropper, this latest one is has got to be the “hold my beer” moment of 2018, and we’re only 3 days into the new year. Intel is topping itself with what appears to be a devastating hardware flaw that is requiring a major kernel redesign in both Windows and Linux-based operating systems. I chose the word “devastating” for good reason: analysts are predicting the rewrite to the kernels could result in up to a 30% performance decrease in just about every computer using an Intel processor and Windows or Linux operating systems. There’s also a good chance Apple’s OS will need to be patched to fix this flaw, as it is subject to the same hardware-level design goof.
What this means for you
Every computer made with an Intel chip produced in the last decade is affected. This results in one of two possible outcomes:
- If you are running on an operating system that is due to be patched (all supported Windows flavors from 7 on, most Linux builds, Mac OSX) then you may experience a slow-down in performance, possibly as much as 30% for certain computing tasks.
- If you are running on an operating system that won’t be patched, your Intel CPU has a major security flaw that can only be fixed by either replacing it with a CPU that doesn’t have this flaw, which, for the moment, doesn’t exist.
If you are exclusively a mobile device user – most of them are built with non-Intel CPUs, or you have a computer built on an AMD processor, this bug doesn’t impact you directly, but you are still likely to be affected. Analysts are predicting this flaw and the workaround implemented by software developers will heavily impact cloud computing hosts like Amazon, Azure and Google Compute, which happen to host most of the world’s websites and virtual computing platforms. So now on top of possible bandwidth throttling from ISPs free of Net Neutrality regulation, you can also look forward to everything on the web being just a little bit slower, at least for the foreseeable future.
Once again, you as the end-user can do little to fix or prevent this. Windows 7 and 8 users have the option of not applying OS updates, but given the severity of the CPU flaw, this is probably a much worse choice than taking a (possible) 30% performance hit. Same goes for Linux and Mac OSX users – patching is still optional, but the security risk is likely very high for not patching this significant vulnerability. And Windows 10 users? Unless you are in the rarefied company of an enterprise-managed Windows 10 environment (essentially no one in the SMB space at the moment) you will be getting patched whether you want it or not, as there is no way to opt out of updates, save never connecting to the internet. And let’s face it, if you don’t connect to the internet with your Windows 10 machine, you are already ten times safer than the rest of us.
A lot of clients, friends and family have asked me about what the recent FCC ruling means for them, and many of them admit that they don’t really have a full understanding of what Net Neutrality actually is. First, here’s a refresher on Net Neutrality. Spend five minutes even if you understand NN, as it might help you better explain this complex topic to a friend or colleague:
What does the recent repeal by the FCC mean for you?
Let’s be perfectly honest. This debate has been ongoing for years, but what precipitated the FCC ruling in 2014 that was just recently repealed was something that NN advocates had predicted and warned about for years: a content provider (Netflix) paid an ISP (Comcast) to get out from under a speed throttle the ISP put in place, ostensibly to preserve bandwidth quality for their customers, but seeing as Comcast got a very large payday to open up the throttle, it doesn’t take a degree in economics to see that someone used their monopoly position to strong-arm another company into coughing up more money. And lest you think (or a NN opponent suggests) this didn’t have an impact on you or I, Netflix raised its prices in October 2015.
While a certain portion of the internet is already in pitchfork and torch mode (and have been for years) given the repeal of a ruling that was created to prevent the sort of shenanigans like the Comcast-Netflix deal above, Net Neutrality has essentially been on the “honor system,” even while the ruling was in affect. It would be fairly dumb, even by today’s lowered standards, for one of the ISPs to immediately announce a pricing program similar to the dystopian scenarios offered by the internet. But you and I know that big corporations aren’t known for always behaving in the public’s best interest, and you can definitely count on them to focus on maximizing shareholder value. With the current state of internet service provider market competition (there isn’t any for most consumers), we as consumers don’t have much in the way of voting with our wallets as NN opponents would have us believe. The ISPs have us over a barrel, and they know it. It remains to be seen whether they will be benevolent shepherds or merciless overlords, but given the recent disregard by the FCC for public opinion, I’m leaning towards the latter.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
This week’s technology mega blunder comes courtesy of industry giant HP, and it was literally at our fingertips the entire time. HP, among many other laptop manufacturers, has long used software from Synaptics to drive its laptop keyboards and touch-pads, and unfortunately the latest security goof comes in the form of a keylogger built into, you guessed it, the keyboard drivers from Synaptics. According to HP, this issue affects quite a long list of models, dating back five years. Supposedly a patch has already been issued by HP, but it will largely be up to the laptop user to apply the software update.
What this means for you
Fortunately, the keylogger is disabled by default, so it’s not quite as colossal as Apple’s blank password exploit or Intel’s gigantic “oopsie-daisy“. According to both HP and Synaptics, neither company would have access to any data that might have been captured if the keylogger was enabled, but that was a sleight-of-hand distraction. The security concern wasn’t that HP or Synaptics was snooping on your laptop usage (they can do this through various methods they and Microsoft Windows aren’t bothering to hide), but that a malicious party could exploit this dormant software once they had privileged access to your computer. More to the point – technology created by humans will have flaws. Making sure your equipment stays patched and up to date is only one layer of defense. It’s incredibly “cold” out there security-wise, and having multiple layers (firewalls, antivirus, backups to name a few) is the only way to keep from “catching your death”.
It’s no secret that I’m a proud Android smartphone user, but a large majority of my clients and acquaintances are iPhone users, and I know that many of them have not been having a good weekend due to a series of bugs in the latest version of iOS. Some of the bigger bugs include a crash tied to notifications, auto-correct changing “it” to “I.T”, the calculator producing incorrect results if numbers are entered too quickly (let that one sink in!), and being unable to delete photos if your iCloud drive was full. Normally it’s Android users suffering as smartphone guinea pigs, but, just like last week’s ginormous OS X cock-up (supposedly fixed now), Apple seems fairly driven to join everyone else at the bottom of the barrel with its initial release of iOS 11.
What this means for you
Hopefully you’ve not destroyed your iPhone in a fit of rage because Apple just released 11.2 that supposedly fixes many of the above-mentioned bugs. Lest you think this was only a bug hunt, Apple, with this release, also started the roll out of their new ecash platform “Apple Pay Cash” which is their version of Venmo or Paypal, and introduced fast charging with Qi wireless accessories. But let’s be serious – this was a major bug hunt, and it seems like there was a long list of critters to exterminate. As always, if you aren’t experiencing problems (possibly because you held off on upgrading to 11 in the first place), you may want to sit tight to make sure Apple hasn’t introduce a set of new bugs while squashing the current ones, but if you are one of the many suffering from from the buggy state we Android users know as “Tuesday”, check your iPhone for the 11.2 update. Make sure you plug it in and connect to the closest WiFi for a (hopefully) better, more functional tomorrow.
Not to be outdone by Intel’s jaw dropping vulnerability reveal last week, Apple stepped up to the plate with what appears to be an epic “Hold My Beer” moment: the latest version of their computer operating system “High Sierra” can be completely compromised through a serious bug. Even more unfortunate is the fact that it is trivial to execute: in any instance of the OS X system asking for authentication to perform a task requiring administrative access, the user merely has to use “root” as the login name and leave the password field blank. Tapping “enter” repeatedly to authenticate will eventually result authentication being granted without ever having to enter any password at all.
What this means for you:
For the majority of the business world, this is a rare respite from the constant deluge of vulnerabilities that plague Windows users, but that is no consolation for the millions of Mac users out there who usually enjoy a relatively secure platform. At the moment there is no patch from Apple but sources say they are scrambling to release a fix soon. In the meantime this vulnerability can be fixed quickly, assuming your machine has not already been compromised. By default, the “root” account is not assigned a password, and assigning one plugs the hole immediately. But there is a catch: setting the password requires a little bit of technical work that initially may seem “too technical” for the self-professed “non-technical” user. You have a choice: earn your geek wings by following this guide from Apple on setting the root password, or give us a ring. We can fix this problem for you, remotely, in a few minutes.
I had a nice little article planned for everyone about avoiding Black Friday/Cyber Monday shopping “deals”, but Intel just had to hog the spotlight this Thanksgiving. Based upon findings by security researchers several weeks ago, computer chip manufacturer Intel has released information on multiple vulnerabilities in the following CPU models:
- 6th, 7th, and 8th generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel Atom® C3000 Processor Family
- Apollo Lake Intel Atom® Processor E3900 series
- Apollo Lake Intel® Pentium® Processors
- Intel® Celeron® N and J series Processors
Given that this represents a large chunk of what most computer manufacturers have been selling since 2015, it’s safe to say that millions of computers and devices are at some risk. HOWEVER there are (as of the moment) no known exploits in the wild seeking to take advantage of the published security flaws.
As of this writing, the major computer manufacturers have not yet released any firmware updates that will address these vulnerabilities. Dell has said that patches are coming but has not said when, and Lenovo has said that it is “hoping” to have “some” firmware updates by the 23rd. For now, the most that anyone can do is run a tool provided by Intel (Linux and Windows only at the mment) to determine if their system is vulnerable. It’s not clear whether Apple computers are affected – the current consensus is “maybe not,” but don’t take that to the bank just yet.
What this means for you:
Don’t panic. Enjoy your holiday (if you are taking one), and give us a ring on Monday to schedule a check of your equipment. Even though I’m sure there are some black hats out there right now frantically working on a way to exploit Intel’s colossal goof, the actual execution still requires a fairly specific set of conditions for the exploit to be possible. In the meantime, make sure your critical data is backed up, keep your operating system, antivirus and anti-malware software updated, avoid clicking suspicious links, don’t open strange attachments, and above all, stay vigilant.
Previously I wrote about the Elephant on the Internet, and lately it seems like we can’t stop blundering into the pachyderm that shall not be mentioned. Last week, Medium published a controversial article about a strangely mutated (but inexplicably popular) genre of kids videos on YouTube. For those of us hardened by years of work (and play) in the darkest and weirdest corners of the internet, the article wasn’t surprising, but it was definitely disturbing how bad things had become in this area. If you don’t mind wearing the mental equivalent of hip-waders, James Bridle’s article plays Rod Serling to this Twilight Zone-esque subgenre that evolved to exploit YouTube’s keyword and “Suggested Videos” algorithm. One of my “favorite” videos from this story is entitled, “BURIED ALIVE Outdoor Playground Finger Family Song Nursery Rhymes Animation Education Learning Video”. Rolls right off the tongue, eh?
What this means for you
A few years back, my wife and I made the sad (but not surprising) discovery that YouTube was not something that could be left in a child’s hands unsupervised. At the time, it had yet to grow the strange and mutated mushrooms that crowd the darker corners as described in Bridle’s article, but we encountered too many inappropriate “suggestions” from YouTube’s algorithms and came to the conclusion that (a) nobody was driving this particular bus, and (b) some people would do anything to make a buck, especially if they could do it by exploiting technology. In other words – not family friendly, and definitely not kid safe. A few years after that, Google announced YouTube Kids – a walled-garden subset of age-appropriate content that parents could trust to entertain their progeny, and we had a brief glimmer of hope that someone at Google noticed their space needed some adult supervision.
It’s no secret that children’s content is an evergreen but highly competitive industry. Prior to the internet, media companies would spend millions chasing short attention spans in the hopes of cashing in on an ephemeral merchandising craze, eg. Cabbage Patch Kids, Tickle-me Elmo and Baby Einstein videos. Now, thanks to the popularity of crowd-generated content, YouTube is a top destination for Internet “Gold Rushers” with children’s videos a particularly profitable and exploitable “vein”. The problem is not with the creators of these freaky videos – capitalism and Internet make for some strange, but predictable bedfellows. It’s that YouTube is yet another example of a system that has gotten away from its creators, and despite their attempts and promises to close yet another Pandora’s box, the sheer size and scale of the Internet continues to overwhelm and surprise the companies that laid the groundwork for its current dominance.
To sum up: it should come as no surprise that when the Internet gets ahold of something and everyone’s too busy watching the scenery to drive the bus, we can end up on the wrong side of town with no idea how to get back. Add YouTube to the crowd of monsters (Twitter, Facebook, Equifax, Wikileaks etc.) that have gotten away from their masters in service of agendas outside of their control.
Image courtesy of TAW4 at FreeDigitalPhotos.net
The technology gremlins are in beast-mode this week, and I haven’t had the time to pen a carefully thought-out blog post for you, but I did go back into our archives to dig out some treasures that I think are still relevant!
- Make Yourself Less Hackable (2012) – a few handy, still relevant tips on keeping ahead of the hackers
- Spear-Phishing Effectiveness on the Rise (2012) – Maybe not surprising, but tricking people with fake emails is still effective even now
- Stolen Laptop Equals $50k Fine (2013) – People are still walking around with laptops chock full of sensitive data
- Is your webcam spying on you? Maybe. (2013) – This is still happening, and now in higher-definition!
- Applebee’s demonstrates how NOT to do social media – Little did we know just how much influence Social Media would have.
Image courtesy of Stuart Miles at FreeDigitalPhotos.Net