Back when the internet was relatively new and essentially unspoiled, there was a great deal of hype around the “connected home” which was to include every major appliance, all of your entertainment electronics, home lighting, environmental controls, and security. Everything it would seem, including toilets, which some manufacturers are still trying to make happen in 2018. One thing that had zero trouble becoming extremely popular is the internet-connected security camera, which has exploded in growth (as predicted) and shows no signs of stopping as the devices become more affordable and easy to install. The downside, of course, is that the low-cost comes at a price, which is most often achieved through poor quality control. Back before the days of solid-state everything, this used to mean shoddy wiring and terrible video resolution, but now, unfortunately, it seems to be coming at the cost of proper security.
Peekaboo, I hack you!
Once again, an overseas firmware manufacturer in Taiwan has announced that a recent version of its firmware used in an undetermined number of camera models has two significant bugs that, when exploited, can lead to complete root-level control of the device, which, in laymen terms means, “all your cameras are belong to us!” Any device, inside your network, that can be compromised and controlled by an outside, unauthorized agent is the very definition of bad news. Early estimates put the number of affected cameras at 180,000 to 800,000, which is really shorthand for “we don’t really know how many devices are impacted,” and is based on the list of partners the company released that might be affected by this vulnerable firmware. While the firmware maker was quick to issue a fix, the patch itself would need to be applied manually, and it’s not clear how that fix would be distributed, nor how the camera owner would be notified.
At the moment, there is no list of affected camera models, so unless your specific IP camera actually tells you what firmware it is using in the built-in web interface (most of them don’t), you can’t even check for yourself. You will have to wait to see if your camera manufacturer issues an update for your device. And let’s be frank, most folks, even yours truly, aren’t watching for firmware updates for our IP cameras, and I would hazard a guess that most owners of the consumer-grade IP cameras likely affected by this vulnerability haven’t even registered their ownership with the camera manufacturer, so unless you (1) know the model of the installed camera and (2) go look up on the manufacturer’s website to see if an update even exists, it’s likely you will never know if your camera is vulnerable until after it’s been hacked. Unfortunately, we have enough trouble keeping our computers and mobile devices up to date without having to keep track of the growing Internet of Things, but sadly, it looks like this is exactly what our next challenge will be.
C2 Technology is in the business of providing technology support and consulting to other organizations, and Google’s many tools are indispensable to me and my team. Our email is hosted by Google, our searches are powered by Google, and it even helps me keep track of where I’ve been in the past week, and as many of you know, I am all over the map, seven days a week. I do this using the very handy “Timeline” feature provided by Google and my Android phone’s GPS. But I do all of this knowing full well that Google is literally tracking everything I do, and even being as familiar as I am with the industry and how data collection works, I can still say with complete confidence that I don’t know half of what Google is actually tracking about me, and probably even less about the several dozen other technology platforms I interact with on a daily, even hourly basis. And if I, a technology consultant who lives and breathes technology, can’t keep track of the data that other companies are collecting about me, what hope does that leave for the average person?
“Be better” Google?
An Associated Press investigation caught Google red-handed tracking users’ locations even when users disabled “Location History” in their device’s settings. They didn’t even try to apologize, instead insisting that turning off Location History does in fact disable that particular function (which tracks your movements for apps like the above-mentioned Timeline function), but that other Google apps may have location-aware services that will gather data in order to “improve people’s experience…” and, guess what, those apps have controls that will allow you to disable location tracking for that particular app. How many of the apps and websites that you use on your mobile device are tracking your location? Definitely more than just the Maps app, and the only way to turn off Google’s tracking as a whole is to “pause” a setting in your Google account called “Web & App Activity”. As many of Google’s critics rightly point out, the obvious assumption people will make when disabling Location Tracking is that location tracking is turned off everywhere, so using vague words and splitting semantic hairs is disingenuous at best, and in the EU where GDPR was implemented to curb this type of double-speak (among many other things), it might actually be a violation. Maybe Google needs to embellish its (seemingly long forsaken) motto, “Don’t be evil” to include some specifics. The above practice, while maybe not “Evil” in the traditional sense is still pretty slimy and clearly designed to benefit the company and not its customers.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Two separate reports have come in this week detailing the increasing tide of cyber attacks intending to sow politically-motivated disruption through the spread of misinformation and by targeting specific political organizations and government bodies. Microsoft was first to the gate with news that its Digital Crimes Unit (bet you didn’t know they had that!) executed a court order to disrupt new website domains that were targeting 2 well-known conservative think tanks, three that were intended to act as possible spoofs of legitimate Senate services, and one targeting Microsoft itself. In a similar vein, fellow tech titan Facebook scrubbed more than 600 accounts, pages and groups this month that were created by both Iranian and Russian actors to disseminate misinformation aimed at creating divisive influence on a wide variety of political issues both here in the US as well as Latin America, the UK and the Middle East.
What does this mean for you
In case you haven’t been picking up what I’ve been laying down for months, the most important thing for anyone to do in the face of increasing campaigns of purposeful misinformation and repeated bombardments of fake emails and impostor websites is to always have your critical thinking cap square on your head. If you are reading a news story that seems controversial, perhaps corroborate its contents by checking other sources, including ones that might not be aligned with your particular viewpoint. Received an email with an attachment that seems important, but you can’t quite remember if the sender is someone you actually worked with? It’s probably because you didn’t work with them and the attachment is a fake. Always err on the side of skepticism. The volume of information we are receiving on a daily basis is being used against us as camouflage and the only way to combat it is to be ever vigilant and never, ever skimp on security. That means check and double-check the source (news, emails, attachments, everything), and if still in doubt, call in a second opinion from someone you trust to give you another point of view. And always make sure your malware protection is intact, your passwords are unique and your data is backed up.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
Despite what you might think, the titular pachyderm of this week’s blog isn’t the GOP mascot, but that same elephant I’ve pointed out to you in the past. We, as a civilization, have put into place technologies that have significant impact on our lives seemingly without the requisite care and considerations for our own safety and security. We can now toss onto this rapidly growing pile of hubris one of the most important institutions of this century, if not the entirety of human history – the political election process via the digital voting machine. Over this past weekend at the 26th annual, infamous Defcon gathering in Las Vegas, attendees were invited to hack digital voting machines that are currently in use across the US. One machine, used in 18 states, was hacked in less than 2 minutes. In another demonstration, an 11-year-old hacked a replica of the Florida Secretary of State’s website and changed posted voting results within 10 minutes.
What this means for you
If there is one axiom you can count on to be always true, it’s that any technology built by humans will be flawed, and yet most of us still believe things that are “digital quality”, “machine-built”, “scientifically engineered” are infallible, flawless, or even perfect. Definitely better than humans are capable of, forgetting that while the particular device in your hands or conveying you across town wasn’t made by human hands, it was most certainly designed by humans. Election officials and equipment manufacturers were quick to point out that the situation presented at Defcon doesn’t represent “real-world” implementations of their technology, but the findings of Defcon should at the very minimum raise awareness that, on top of Russia actively and currently seeking to interfere with our elections, we might be our own worst enemies, blindly trusting that technology, implemented by humans, would operate flawlessly and will be impenetrable. If there is anything I know after working for nearly 30 years with technology, there is no such thing as a perfect implementation, or bullet-proof security. If you happen to vote in a state that utilizes digital voting technology, make sure you understand what you can expect in terms of receipts or paper trails. Also understand that all states utilize some form of technology to count ballots, but not all states use technology in the act of voting. In California, some districts do have actual digital voting machines that can provide a paper record of your votes which you should absolutely retain just in case.
Scareware isn’t a new trend – we’ve been seeing fake “FBI warnings” on our computer screens long enough that even the most technology naive among us knows not to pay their “online fine”, and the crime of extortion has been around as long as humanity has used currency. Unfortunately for all of us, cybercriminals have put a new twist on the scareware scam in what the media is dubbing “Sextortion”. The scam is as lurid as it sounds, basically tricking victims into believing their “not safe for work” (NSFW) online browsing habits are about to be exposed to their friends, colleagues and family unless a bitcoin amount is paid to keep the naughtiness under wraps.
The “gross” anatomy of this scam
Like others of its ilk, this is a straight-up scam, but the method used can produce a hair-raising response through the application of a diabolically clever trick: the scammer uses information found online to produce the illusion that they can “see you” and “know what you are doing” when in fact you are just the recipient of a mail-merge template. The trick is simple: they are pulling email and password pairs from any one of numerous illicit databases that are lurking in the dark corners of the internet, and then plugging that information into a template and mass spamming emails in the hopes that a small percentage actually fall for the con and pay the extortion fee. What’s different about this latest effort is the relatively sophisticated language and diction used which gives the appearance of someone who might actually be capable of the things they allege in the email. The terminology and activities described are written to target individuals who have used their device to look at porn on the web (which many people do, no surprise there), and when paired with the shock of seeing a familiar password right there on the subject line, many reflexively reach for their wallets.
A colleague also shared with me that the scammers are actually sending this same extortion note via actual mail, perhaps thinking that if their potential victim sees the threat printed in black and white on something they can hold in their hands it will have more weight. And it does, but only for the extortionist as now they’ve committed a federal felony.
Either way, don’t fall for this scam, and don’t let your friends, family and colleagues fall for it as well. Share this story, if only to ease the conscience of someone who may be secretly worried about their privacy. They should be, but not over this sorry piece of flim-flammery. For real reasons why they should be worrying about privacy, check these stories out.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Even though most of us know Amazon as the world’s largest drain on everyone’s wallet, they do quite a bit more not generally visible to their adoring public, including developing a now-controversial face recognition platform called “Rekognition” intended for use by law enforcement agencies. “Controversial” because of a recent report released by the American Civil Liberties Union (ACLU) wherein they used Rekognition to compare the photos of members of Congress against of a database of 25000 mugshots. The result: 28 Congress-critters incorrectly identified as criminals. Regardless of your opinion of their actual work in the capitol, this should raise eyebrows and hard questions from everyone, including the public servants falsely tagged in the ACLU’s “field test.”
What this means for you
Aside from a few well-known early adopters like Washington County and Orlando law enforcement, Amazon refuses to divulge which law enforcement agencies are using their technology, let alone which ones might be considering it for near or far term deployment. If you thought this technology was more science fiction than fact, consider this story which surfaced in March of Chinese law enforcement using glasses with built-in facial recognition in real-life security situations. Also consider that smart phones have been using face recognition for several years now, with countless reports of ease of spoofing the authentication method, as well as the same technology failing because of things like back-lighting (a client of mine, this weekend!), different hair styles or a 5-o’clock shadow.
Government officials, just like us regular consumers, are easily lured by shiny technology, but, just like us (because they are us), they are just as flummoxed when the technology doesn’t work as advertised. Unlike us, their ill-informed purchasing decisions can affect countless more lives, so it behooves us to urge our congress people to put technologies like Rekognition to a higher level of scrutiny and base their decisions on more than Hollywood-esque techno dreams dressed in photogenic eye wear. Will face recognition become a part of law enforcement? Without a doubt, but I’m not sure it’s ready for its close-up just yet, Mr. DeMille.
We’ve known since at least 2013 that American utility companies are under constant cyber attack, but at the time I wrote that blog four years ago, lawmakers and the industry believed that their security was sufficient to withstand the incursions. Welcome to 2018, where everything is getting hacked, including, yes, American power utilities. According to recent disclosures from the Department of Homeland Security and reported through the Wall Street Journal, highly organized hacker teams backed by Russia have compromised the security of “hundreds” of utility companies, to the point of being able to cause actual interruptions in power flow.
What this means for you
Far from the Hollywood vision of suave, athletic spies dangling from wires over laser grid alarms, the majority of the reported hacks were achieved through the most mundane of attack vectors: email phishing and watering-hole websites that trick users into typing in their credentials for what they believe are legitimate access requests. The hackers targeted smaller vendors and service companies attached to the larger utilities, taking advantage of their typically smaller cybersecurity budgets as well as their proximity to the actual target. Once they had compromised the security of the vendors that serviced the targeted utility, they were able to become wolf in sheep’s clothing, and from there easily penetrate the relaxed perimeter.
While this is a gross simplification of a highly involved and concentrated effort that spanned years of work, it should again highlight the obvious weak-point in cybersecurity: people. Unfortunately, increasing security precautions have acclimated everyone to entering passwords every time our devices pop up a dialog box asking for one. Even those of us with training are hard pressed to carefully assess every authentication request. Until technology provides us with a better way to authenticate, passwords will continue to be a glaring weakness in security. Every time your device asks for a password, take a few seconds to assess if the password request is expected and, more importantly, properly formed. The latter does take some training, but as long as you are properly paranoid, that is a huge step in the right direction. The worst that could happen from canceling out of an unexpected password prompt is a few more minutes delay in getting to whatever information you were trying to access. Unless you are in a life-or-death situation, that delay could save you from a future blackout.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It’s easy to be snide from my blogging armchair – it’s one of the many questionable things that the internet has made possible. It also enabled the existence of two of the largest companies in the world, Amazon and Google, which makes it all the more ironic, amusing and somewhat disheartening that these same companies are at the capricious mercy of the very thing on which they are founded. While Google doesn’t often suffer from outages, when they do, as they did today for about an hour, it’s hard not to notice. And when internet retail giant Amazon has severe, widespread outages the prior day during the first hour of their much vaunted “Prime Day”, it makes you wonder if there is any hope for everyone else, especially seeing as Amazon owns the world’s largest cloud computing network that is designed explicitly to stave off outages like the one they experienced.
What this means for you
Neither company has shared any technical details on the outages or their cause. Even if they did, it’s unlikely that anyone but a select, geeky few would truly understand and be able to apply any technical lessons learned. However, as most of you who have worked with technology in your business have grown innately to expect, technology will fail you at the least opportune, most damaging time possible, and the only way to counter this certainty is to plan for that failure. How would one go about reasonably planning for technology failure given how utterly pervasive and unpredictable it is? Start by evaluating what elements of your business or operations are critical – not for success – but for continued operation.
- What technology things (data, devices, platforms, services, etc.), if you did not have, would cause serious problems for your business?
- Of the items identified in #1, which of them are truly irreplaceable? eg. Customer sales data, email conversations, custom-built software. Keep in mind that some data can be recreated, but it may not be valued the same as the original.
- How long could you operate without them before their absence becomes permanently damaging?
Most everything you’ve identified in the above can probably be hardened, copied, backed-up, cloned or retired/replaced by something less vulnerable, and the most valuable things, like data, are often the easiest and least expensive to secure against disaster, but only if you actually take the step to back it up. Other things, like lack of internet, can also be worked around, but only if you have a plan and know how and when to execute it when your less-than-Prime Day arrives.
For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.