The day that many people are dreading is fast approaching: Microsoft is ending extended support for Windows 7 as January 2020, which means that it will no longer be providing updates and fixes to the extremely popular and widely used operating system. What you may not have realized was that Microsoft actually ended mainstream support for 7 back in 2015, which was when it stopped developing new features for the OS, and stopped taking support calls from users about Windows 7. It’s a testament to the stability and relative security that it’s still in wide use essentially on the eve of it’s retirement, but like all good things, it has to come to an end.
Don’t panic. You have options, but inaction is not one of them.
The primary question I am asked when briefing clients about retiring Windows 7 in their organizations is whether they should upgrade their existing machines, or buy new ones. The simple answer to this, though definitely not the one they necessarily like to hear, is that buying new computers built for Windows 10 are, dollar for dollar, a better investment than upgrading older PCs. Of course there are exceptions, but keep in mind that most PCs that still have a factory-installed Windows 7 OS are likely 3-4 years old at this point, as computers started shipping with Windows 10 mid-2015.
If you’d like to evaluate whether or not your computer is worthy of upgrading versus replacing, consider these factors:
- If your computer is still covered by a warranty, it’s worth considering an upgrade over replacing it.
- Is your computer older than 4 years? Definitely consider replacing, as many of the hardware parts are actually approaching physical end of life and are more likely to fail, regardless of OS.
- Is your CPU an Intel processor 4th generation or higher? Older CPUs will not fair well with Windows 10.
- Do you have at least 4GB of RAM? No? Don’t bother. Four GB is the bare minimum, and 8GB is recommended.
- Running a lot of older applications that you can’t update or upgrade? Upgrading to Windows 10 will likely break those apps. If your business depends on apps that are unsupported on Windows 10, you and I need to have a different discussion.
Even though it’s technically possible to upgrade just about any computer running at least an Intel Core processor (i3, i5 and i7) and 4GB of RAM, there is still a certain amount of work involved in going through this process (which I will detail in next week’s blog). Even if upgrading to Windows 10 results in a functional computer, you are only delaying the inevitable replacement of the device. Still, this is an acceptable path if your short-term budget cannot cover an immediate replacement and you have a longer-term plan to replace the device. On later model PCs, installing Windows 10 can result in some performance gains as well as definite security improvements, but PC’s 4 years and older rarely improve in performance, and the short-term gains are typically overwhelmed the longer that PC is used in any business-critical environment.
If you don’t have a Google account or use the Google calendar feature, you can stop reading and maybe read something from our back catalog. Still with us? Good, I’ll explain what’s happening, and then how you can plug this particular vulnerability. To put it simply, scammers are sending calendar invites to Google users that have malicious links embedded in the text of the invite. Not so bad, right? You know how to spot those. Except these aren’t emails – they are calendar invites that are being automatically added to your calendar courtesy of some default settings that Google has still not changed despite being warned about it nearly 2 years ago. The problem comes when these fake invites actually pop up as a notification on your phone or computer, and as we are all trained to do, we click to get more information, possibly on a disguised link in the text of the invite, and BAM, you are infected.
Here’s how you stop this
You have to do this via a web browser, and I would recommend using a computer instead of your phone, mostly so you can confirm you are changing the correct setting by matching what you see with the screenshots below.
Log into your Google Account. This link will take you to your calendar if you are already logged in, or to the login screen if you are not – https://calendar.google.com/
Look for the gear icon in the upper right corner of the calendar web page and click “Settings”:
Under the “General” menu, click “Event settings” and then look for the “Automatically add invitations” setting which probably says “Yes”:
Change that setting to “No, only show invitations to which I have responded”
Next you may want to consider disabling Google’s “Events from Gmail” function which automatically adds events to your calendar based upon emails you receive, such as flight confirmations, restaurant reservations, concert ticket receipts, etc. If you don’t regularly rely on this feature, you should turn it off until Google is able to further secure calendars from fake invitations.
If you want to disable this feature, look in the left column for “Events from Gmail”, click it, then uncheck the “Automatically add events from Gmail to my calendar”.
Finally, if you already have fake invites in your calendar, you can report them as spam, and Google will automatically remove any other invites on your calendar from that same sender. You also have to do this from a computer web browser. Do not do this from your calendar app on your mobile device.
To report a Google calendar event as spam, find the event in your calendar, open it and then click the three-dot icon “Options” and then select “Report as spam”:
Photo courtesy of Stuart Miles from FreeDigitalPhotos.net
In case you haven’t already been scared silly by the concept, “deep fakes” are a new classification of videos wherein the faces of the subjects of the videos, usually short clips from movies or talk shows with easily recognizable actors, are replaced with a different face. While skilled video and movie special effects editors have been doing this for decades, the effect was usually obvious and it took an expensive special effects studio to produce the result. Now, we have YouTubers producing clips like the below which is amazing and terrifying at the same time:
What this means for you
The amazing part is easy to see (or not see). At some point in the video, I forget that I’m looking a Bill Hader and can only see Arnold’s face, which coupled with his excellent impression of the Governator, makes it look AND sound like Schwarzenegger is sitting with Conan instead of Hader. The terrifying part? This was done by one guy using open source software that doesn’t require an entire special effects studio team to produce.
If that isn’t enough to put a chill in your bones here are a few recent deep fake news stories that should wake you right up:
- The Democratic National Committee produced a deep fake video of their own chair Tom Perez for this year’s Def Con (one of the biggest hacker conventions in the world) to highlight the dangers deep fakes present to the 2020 elections.
- A Chinese app maker just released a free app on the Chinese iOS App store that can use a single picture to replace actors’ faces in a collection of famous movie clips.
- A scammer used a deep fake audio application to impersonate the voice of a UK energy firm CEO which was convincing enough to trick an employee into transferring over $200k to an unauthorized bank account, from where it was quickly transferred and laundered through multiple international accounts.
There’s that elephant again, though at least this time, there are a lot of people talking about it. Technology is again racing ahead of ethics, morality and law, and shows no signs of stopping. Will it take money or elections being stolen before anything is done about it? Have we hit a point where society will always be trailing technology, picking up the broken pieces and taping together integrity as best we can?
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
I’m pretty sure most of us pay very little attention when our mobile phones ask to update the installed apps, even if during that process your phone asks if its OK to grant new permissions to an app that needs access to your contacts, camera, phone or local filesystem. The app is already installed on the phone and you use it (sometimes), so where’s the harm? Unfortunately for millions of Android users who had an app called CamScanner on their phone, the latest version came with a malware delivery vehicle called a Trojan Dropper. This bit of software, once installed, can reach out to a designated server on the internet and download encrypted code which can then be decrypted and run on the device without any action required by the phone owner.
What this means for you
Unfortunately for Android users, even the ones that keep on the straight-and-narrow and only install Play Store apps, staying inside Google’s “walled garden” is sometimes more like wandering around a hedge maze full of holes, thorny bushes and no clear exits. Earlier this month, Google had to remove 34 apps that collectively had been downloaded over 100 million times because they contained a similar bit of malware called a Clicker Trojan. In cases like the Dropper and this Clicker Trojan, the software is designed to allow hackers to covertly subscribe the users to costly subscription services and repeatedly open websites in massive advertising click-fraud campaigns, generating millions of dollars for the attackers, often going completely unnoticed on the compromised phones.
As with many types of malware infections, the underlying cause is often either a lack of understanding of how phones can be infected or what that behavior might look like on a mobile device, or, in many cases, a lack of patience or even care for the diligence required to notice the problem in the first place. If you need some basic guidelines on navigating the mobile app safety maze, here are some things you should always observe:
- Remove any apps you aren’t using, especially ones you don’t remember installing.
- Always read the reviews on apps that you are considering installing. Look for complaints about ads, popups, unusual behavior or suspicious permissions requests.
- Keep track of what you install, and observe your phone closely after installing a new app. The Clicker Trojan mentioned above didn’t activate until 8 hours of being installed to avoid detection.
- Always be suspicious of an app’s request for unusual permissions. If you want to be on the safe side, deny all permissions during install, but be aware that many legitimate apps need access to various functions of your phone to operate properly, and denying permissions will likely cause the app to function poorly or not at all.
- Never install apps from any store other than the official Apple or Google stores. Jailbreaking or rooting your phone, even if you know what you are doing, is not recommended, and at minimum will void your warranty and absolve the carrier and phone manufacturer from providing any kind of support.
- Watch your phone bill and credit cards for unusual charges, especially if you have your bill set to auto-pay through credit card.
Ransomware attacks are on the rise. Depending on which security company you get your news from, the percentage increase from 2018 varies from 110% to a whopping 365% as reported by Malwarebytes Labs. Also important to note: attackers are going after government institutions in the US in a noticeable way. Since the start of 2019, there have been 22 documented attacks on city, county or state governments, including the high-profile incident in Baltimore which I wrote about back in May of this year which has thus far resulted in $18 million in remediation costs and lost revenue. Not to be outdone, the state of Texas can add new record to its list of big things: 23 local government organizations were attacked simultaneously in what is being called the largest coordinated ransomware attack against multiple government entities…so far.
What this means for you
Unless you happened to be served by one of the 23 unlucky institutions affected by this attack, this will be one more splash of water in our ongoing drink from the malware fire hose. Texas officials are keeping mum so far on who-what-where’s of the attack, but if I had to guess, someone got phished via email, gave up credentials, which led to the hackers being able to drop malware on critical systems that all went off on August 16th. Given the breadth of the attack, it’s likely the attackers have been working this particular set of targets for months, meaning it was organized and purposeful.
You might not have noticed this, but ransomware attacks had slipped to the background in 2017, but they are back with a vengeance and focused on businesses and government entities because the hackers realized deeper pockets are just as susceptible to ransomware, and are more likely to pay ransoms because they can’t afford to not pay, as seems to be painfully exemplified by Baltimore’s ongoing recovery. As always, your best protection against this type of malicious, technological pollution is a multi-layered defense perimeter that consists of at minimum: email filtering, workstation and server malware protection, a strong firewall, and cloud-based backups. If you can add employee training to that list, you will be much better protected than your neighbor or even the competition. And in case you were wondering where you might be able to cover all these bases with one call, just give us a ring.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
It’s a day ending in “Y” so that means yet another company CEO is on the news apologizing for exposing your PII to the internet. This time around it’s Capital One CEO Richard Fairbank having to say sorry for letting a hacker get access to approximately 100 million US and 6 million Canadian credit card applications. While Capitol One was quick to try to downplay the severity of the the incident, asserting that no credit card numbers were stolen, there is no sidestepping the fact that the hacker, who has since been arrested, was attempting to sell information that includes 140K US Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as an undisclosed number of names, addresses, credit scores, limits and balances.
Not feeling violated enough yet?
To add to everyone’s continuing dystopian nightmare this week, Apple was recently caught in a glaring contradiction to its ongoing marketing message of being a champion of its users’ privacy. Despite buying huge billboards touting that “what happens on your iPhone stays on your iPhone”, a whistleblower has shared damning details on Apple’s use of contractors who have access to numerous private and very sensitive audio snippets recorded by Siri. According to Apple, only a small number of Siri requests are reviewed by humans for accuracy and algorithm tuning, and supposedly these small audio files are semi-anonymized to protect user privacy. Not so, says the whistleblower. As anyone who uses a voice-activated device can attest, Siri and its ilk can perk an ear up even when not being directly addressed, resulting in plenty of unintended recordings that people would definitely not want shared.
“…you can definitely hear a doctor and patient, talking about the medical history of the patient. Or you’d hear someone, maybe with car engine background noise – you can’t say definitely, but it’s a drug deal … you can definitely hear it happening. And you’d hear, like, people engaging in sexual acts that are accidentally recorded on the pod or the watch.”Anonymous Apple Contractor to The Guardian, 26JUL2019
An important distinction needs to be made with regards to Apple’s voice recognition data gathering practices, especially since they themselves take great pains to tout their privacy advocacy. While Google and Amazon both allow some opt out options on the use of their recordings, Apple does not offer this option short of disabling Siri altogether.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As reported here and everywhere, the 2017 breach of Equifax credit reporting agency exposed critical PII (personally identifiable information) for 147 million Americans. It remains equally notorious for Equifax’s botched handling of the breach as well as the thundering silence (until now) from the government on what should be done to address the appalling privacy breach as well as what consequences the company should face as a result. If it had been announced a few months earlier, Equifax’s settlement with the FTC, Consumer Financial Protection Bureau, and 50 US States and Territories for $575-700M might seem significant, but in the face of the record $5B fine levied against Facebook just two weeks prior, the amount seems paltry, especially considering that Equifax reported revenue of $3.41B in 2018.
What does this mean for you?
From a raw-math perspective, this settlement values your most critical financial data (full name, address, social security number, email address, phone number, credit card numbers, bank account numbers…feel ill yet?) at around $2-3 dollars. Yup, sorry, no “B” or “M” or even “K” following those numbers. Two dollars.
However, if you are willing to put in the work, you can possibly claw back as much as $20,000 depending on your circumstances. For a more comprehensive outline of how you can get your share of the Equifax settlement, the Wall Street Journal spells it out fairly well, but I’ll hit the high notes if you want to hit the ground running from here:
- Were you affected by the Equifax breach?
- Check your credit report.
- Get email updates about the settlement.
- You are entitled to up to 6 free Equifax credit reports a year from 2020 through 2027.
- You may be partially compensated for credit monitoring or identity protection paid for between 9/7/2016 and 9/7/2017.
- You may be eligible for free identity restoration services for at least seven year.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
A few years back I had an unusual request from a client to investigate their spouse’s online history for evidence of possible infidelity. I was asked to handle it discreetly and under the guise of investigating their computers for possible hacking or malware infection. Interestingly enough, it turned out that their computers had been hacked and the attackers had resurrected an old account from a dating site that the spouse had used when they were single. A friend had spotted the activity and brought it to the spouse’s attention who then brought it to me. Even though this cleared up one potential home-wrecking situation, it was only the tip of the iceberg for the couple, as this was only one of many accounts that had been compromised in the identity theft.
How many zombie accounts do you have?
One of the most overlooked double-edged swords of online services is the requirement of creating yet another account to access those services. These companies, for the sake of convenience, use your email address as the login, and it’s highly likely you, also for the sake of convenience, will use a password that is being used elsewhere, possibly repeatedly. Those of us who think of themselves as only “casual” online participants will have dozens of accounts, and those of who have lived and worked online since the birth of the internet will likely have created a hundred or more, with a large majority of them long forgotten and assumed dead and buried.
Many companies, from startup to Fortune 50, do not actively prune unused accounts, and many do not offer a way to remove or deactivate an account, regardless of whether it’s highly active or never been used. It’s also possible for the data of a company that has gone out of business to end up on another company’s server, also forgotten and not maintained by the new custodians, and worse, not even accessible by the customers that created that data in the first place. Unfortunately for us, out of sight is not out of mind for a hacker, and these forgotten troves of data are often not as well protected or even monitored by the company who is supposed to be securing it.
What does this mean for me?
First, stop using the same password for multiple accounts. If one company gets hacked and your data is compromised (Has your login or password already been compromised?), it’s only a hop, skip and a jump for that login credential to be cross-matched on a dark-web database. Suddenly that LinkedIn account which you haven’t used in years has risen from the grave and bitten you right on the you know where on an account that does matter to you.
Secondly, take a lazy Sunday morning to go through your email looking for new account emails from long-forgotten accounts. You can search for them by using phrases like “new account” or “your password” or “account activated”. Make a list and then consider deleting or deactivating any of the accounts you are not using. There is no tried and true way to do this – each service (if it still exists) will have a different process for removing the old accounts, and some will do their damnedest to keep you from leaving, but no one ever said that being safe online was easy, so buckle up and dig in.
Thirdly, consider deleting those very same emails you just found that led you to those old accounts, especially the ones you are planning to keep, and particularly if they actually contain passwords. If you found them, someone with unauthorized email accounts can find them as well and figure out ways to get into those accounts, especially if the emails contain passwords.
Videoconferencing darling Zoom stirred up a pot of controversy earlier this week after it first disclosed and then defended an apparent security weakness in its OS X video conferencing client. According to the security researcher who discovered and reported the flaw back in March of this year, the Mac version of Zoom installs a webserver on the computer on which it is used that will enable users to quickly make and answer Zoom calls. Unfortunately, the main reason they implemented this method was because the built-in security restrictions of the Mac operating system were getting in the way of this quick-connect feature, a “benefit” which Windows users did not enjoy. On top of this, even after the Zoom software was removed from the Mac, this local webserver remained in place, allowing for quick reinstallation in case the user needed to make or receive a Zoom call, the latter of which could be exploited to gain unauthorized access to the Mac’s built-in camera.
Subverting security for convenience is always good practice, right?
Initially, Zoom defended their Mac client methodology and insisted that the changes they made to the Mac client’s settings should be sufficient protect against any exploits of their software. The security researcher remained unconvinced that it was sufficient protection for Mac Zoom users and released his findings to the public alongside a proof of concept demonstration of a malicious Zoom invite attack. After about 24 hours of internet uproar over the vulnerability, Zoom reversed their position on the subject and has just released a patch that removes this feature, as well as adding a new menu choice to do a full uninstall of the software to remove the hidden webserver.
If you are using the Mac version of Zoom, you will want to update your software immediately if it hasn’t already prompted you to update. Windows users, for once, don’t need to do anything. Enjoy your small respite from the usual flood of security flaws.