Long-time readers will notice that it is pretty rare for me to post good news to this blog. I’m sure good technology things happen every day, but we don’t get called when something is working properly, and the mainstream media usually don’t report on anything but bad news. Fortunately for us – because let’s face it, we are sorely in need of “W’s” in the fight against cybercrime – a prominent hacking group responsible for thousands of cyberattacks worldwide resulting in more than $120M in ransom payments has been dismantled by a joint law enforcement operation led by the UK and US. The action resulted in what they are calling a complete dismantling of the APT (advanced persistent threat) known as Lockbit.
What this means for you
On top of seizing control of nearly all of Lockbit’s operational assets, including 34 servers, 200 cryptocurrency accounts and arresting 2 Russian nationals, they actually converted Lockbit’s own dark website into a “reverse” leak site that touted the task force’s takedown of the APT as well as posting their own countdowns to when additional data on the Lockbit crew would be leaked to the internet, turning a commonly used cybercrime tactic back on the criminals. Before the site was “pwned” by authorities, it was used by Lockbit to publish a list of its victims and ransom countdown timers.
This was no small effort – it required coordination between 10 countries and at least three major law enforcement agencies. It will hopefully result in some of the victims being able to recover encrypted data and maybe discourage some portion of the cybercriminal element from continuing operations, but let’s be realistic – this APT was one head of a massive hydra, and the assets neutralized were a fraction of the compromised computers and accounts used as zombies or command and control servers across the globe. In the above-mentioned “Operation Cronos” action 14,000 rogue accounts were shut down. For perspective, a cybercrime botnet was discovered in 2009 that was comprised of nearly two million computers. That number has likely been dwarfed many times over by now. It’s too early to declare victory by a longshot, but as the old proverb instructs, “How do you eat an elephant? One bite at a time.”
Image by Schäferle from Pixabay
In 2019 I wrote about the arrival of deep fakes and posited that it might take an election being stolen before anyone in the country takes it seriously. Welcome to 2024 where someone engineered a robocall in New Hampshire designed to suppress the vote in that state’s January 23rd primary elections. The call featured what appears to be an artificial intelligence-generated clone of President Biden’s voice telling callers that their votes mattered more in November than in today’s primary. To put a nice ironic cherry on top, the robocallers seemed to have spoofed a phone number from a Democrat PAC that supports Biden’s efforts in New Hampshire. Here is the actual release from the NH Department of Justice website that signals the official investigation, in case you are skeptical of the above website’s veracity.
What this means for you
I imagine that regardless of which side of the political spectrum you sit on, this presents a very scary future where we cannot trust our eyes or ears or practically anything on the internet at a time when truth and objective reasoning are crucial. The technology to do the above is readily available and accessible, and it seems a small but influential number of us cannot be trusted to act responsibly with powerful technology. If you are thinking, “well, let them duke it out in their political battles over there, I don’t need to worry about AI fakes affecting me,” let me spin a “fanciful” situation for you to consider. Let’s say you have a disgruntled ex-employee who is looking to strike back at you or your company and decides to use the above tool to fake a harassing phone call from someone in company leadership to someone else in your organization. Do I even have to tell you that this service is likely already on offer in questionable corners of the internet? What can you do?
Make your voice heard in the upcoming elections by voting for leaders that represent your values (which are hopefully based on lifting people up instead of pushing them down). How do you know who that might be? Time to step up and ask directly. Don’t rely on third parties to put words in their mouths. It’s time for direct accountability, for you, me and them.
Register to vote. Get out and vote.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
If there’s anything I’ve learned in the 30-odd years working in technology, it’s that I am terrible at predicting where technology is going next. When I was younger and considerably more optimistic, I had hoped for a world where technology would help us to replace both the dangerous and hideously mundane jobs allowing us more time to engage in loftier pursuits. While it has definitely done plenty to automate the mundane and make things much safer, it has also helped profit-driven companies amass vast fortunes even while the rest of us struggle with increasing costs and diminishing quality of life. It has given equal footing or even an advantage to those who would exploit others for personal gain, while seemingly making it even more complicated for those of us just trying life a peaceful, compassionate life. If I were a billionaire, you can bet there would be some things I would attempt to change, but as I’m not, all I can do is hope certain things come to pass.
Here’s my wish list for 2024
- I’d like to see social media platforms take some responsibility for their power. Likelihood: Possible, but maybe not this year.
- I’d like our Government to take more interest in keeping us safe technologically. Likelihood: In the works, but could be dismantled by politics.
- I’d like to see everyone take more interest in privacy and security. Likelihood: Slowly, slowly happening.
- I’m praying for a breakthrough in identity authentication. Likelihood: Unlikely, it seems.
- I’d really like to see an increase in technology quality control. Likelihood: Not happening this year.
- A breakthrough social media platform focused on lifting humans up instead of winning 15 seconds of fame. Likelihood: Probably not this year.
- Technology that is easy to understand and safe to use for everyone, especially the elderly. Likelihood: Improving, but still a long, long way to go.
Image by Michael Schwarzenberger from Pixabay
Back in October of this year, we wrote about DNA testing company 23andMe’s reported data breach. Initially thought to “only” impact 1.4 million people, 23andMe has revised that estimate to a whopping 6.9 million impacted users that had data exposed including names, birthdays, locations, pictures, addresses, related family members, but not, as the company has strenuously emphasized, actual genetic data. I’m fairly certain that little nugget is not providing the relief they might hope.
Why this should matter to you
Even if you nor any immediate family is a 23andMe customer, it’s important to understand why this data breach is particularly noteworthy. 23andMe wasn’t hacked in a manner that is more commonplace for large companies – hacked or stolen credentials for someone inside the company that had privileged access, but rather through a mass breach of 14,000 customer accounts that were secured by passwords found in dark web databases, ie. these stepping-stone customers were using the same passwords that were exposed in other breaches and leaks. The hackers used those compromised accounts to essentially automate a mass cross-referencing data harvest that in the end, exposed data on nearly 7 million 23andMe customers. This last data exposure is on 23andMe – it would seem they didn’t anticipate the built-in cross-referencing services that the genetics testing company offers would be turned against itself. Also, there was the minor omission of not enforcing multi-factor authentication to secure everyone’s accounts, which might have compensated for the poor password discipline of its customers. The two take-aways? Unique passwords and multi-factor authentication should be the minimum security requirements you should expect from any service that contains your valuable data.
Image courtesy of geralt at Pixabay
There is a conflict brewing in the workplace that many will view as just another symptom of corporate greed. Regardless of its source it’s about to come to a boil, and Microsoft and the other tech heavy-hitters are turning up the heat whether we are ready or not. To be fair to them, they aren’t doing it to be jerks, but as part of an overall shift to a concept called “security by design” which part of the Biden Administration’s overall “National Cybersecurity Strategy” released earlier this year. The strategy is way too complex to even attempt covering in our tiny blog, but there is one element that touches all of us: multi-factor authentication and the push to move past simple SMS codes to authentication apps.
What this means for you
The core concept of “security by design” is focusing the responsibility of security on the manufacturers and vendors and not relying on the end-user to know what is best. As a prime example of this, Microsoft, by default, now requires multifactor authentication for its new customers (which can then be manually disabled), where before, this service needed to be turned on manually by the customer (or their designated IT professional) themselves. All well and good – as a security professional this makes perfect sense to me, and I support the trend – BUT this also requires those employers who don’t provide smartphones to their employees to “ask” those employees to install one or more authenticator apps on their personal devices in order use critical services for their work. Unless you are providing your employees with some sort of reimbursement or have stated in their employment contracts that this is a requirement of the job, this is going to be a problem for many people who are still trying to keep their work and personal lives separate. As a business owner, this ship sailed for me personally a long time ago, but for my employees and yours, what was once a tacit, unspoken arrangement may now have to be formally addressed. Now that smartphones are essentially the easiest way for us to implement multifactor authentication, and everything will soon require it, that personal cell phone has ceded more territory than any of us could have predicted, and employers may need to get in front of this issue before it becomes an employee grievance.
Image courtesy of blackzheep at FreeDigitalPhotos.net
Back in 2018, a website called MyHeritage was hacked, and even though “only” usernames and passwords of its 92 million customers were stolen at the time, we considered the nightmare scenario of DNA information on 92 million people being stolen. Five years later, that nightmare has been (sorta) realized as DNA testing firm 23andMe confirmed that hackers have breached and exposed an undisclosed number of customer records that includes broad genetic data, phenotypes, health information, photos and other personal identification data.
What this means for you
While 23andMe’s own statement is fairly vague and details are “pending investigation”, the hackers who have put the data up for sale on the dark web claim to have 13 million records, and also accuse the company management of hiding the breach and capitalizing on the timing of the announcement to sell company stock ahead of an anticipated market blowback in response to the Oct 6 announcement of the breach. As of now, the company has not responded to these accusations and so far, the hacker’s claims haven’t been verified. Clearly, if you have used 23andMe any time before Oct 6, you may want to pay close attention to their ongoing efforts. On top of this dystopic news, it also appears that the hackers are packaging the data for sale based around ethnic groups, such as 1M record set of Ashkenazi Jews and another database of 300k Chinese users. As part of the dark web marketing hype pimping the sale, the hackers claim that the datasets include celebrities, business magnates and “dynasties often whispered about in conspiracy theories,” whatever that’s supposed to mean.
More importantly, it seems that the hackers managed to amass this data through an attack known as credential stuffing whereby they used “recycled passwords” that were compromised in other breaches, and – surprise, surprise! – they also worked on 23andMe. You know what I’m driving at: people re-used passwords, and since most websites now use email addresses as the login, recycled passwords led to yet another data breach, and this time it has exposed what might be considered the most sensitive of data.
Lately it seems like good news is far and few between, so I’m pleased to be able to share this small glimmer of hope with you. The FCC has finally sworn in a fifth commissioner to break the deadlocked committee split 2-2 along party lines that has prevented the FCC from doing practically anything since Biden took office in 2021. Shortly after the fifth commissioner was confirmed, the FCC chair announced their plans to reinstate Net Neutrality, something we have written about here numerous times before.
What this means for you
The previously Republican-tilted FCC under the previous president’s leadership was perhaps best known for repealing the Net Neutrality rules adopted in 2015 which were established to frame internet and mobile bandwidth as a utility, giving the FCC regulatory oversight to ensure fairness and availability of what is inarguably an essential service for everyone. This decision was widely viewed as favoring corporations over people, resulting in numerous and sometimes grotesque exercises in being “off the leash” including an incident where Verizon throttled the Santa Clara Fire Department’s bandwidth during the worst fire emergency in California’s history, and then proceeded to upsell them on a better data plan instead of behaving like normal human beings. Normally disputes like this would have been settled quickly by the FCC, but without a fifth commissioner to break what was likely to be a partisan tie, the industry was left to self-regulate, which led to a lot of, “We investigated ourselves and found ourselves not guilty.” Before you get out the champagne, these plans are a long way from being implemented, but now with a Democrat as the tiebreaker, there may be opportunities for consumer interests to be valued ahead of corporations in a critical regulatory agency, if only for a little while.
Image courtesy of dream designs at FreeDigitalPhotos.net
If there is one thing that the Internet excels at, it is putting any information – old and new – literally at your fingertips. Conversely, one of the things it does a terrible job at is qualifying that information, to the point where it becomes increasingly difficult to weed out the good from the bad. If you use technology as part of your work, you must continue to fight valiantly to stay internet and tech savvy just to keep yourself safe, and unfortunately for you, technology security is evolving so quickly even us experts are struggling to keep everyone as savvy as they need to be in 2023. I could bore you to tears with the constant cavalcade of new technology pouring into business these days, but my job is to point out what’s important, and right now, security continues to be priority one.
You should know these new terms. Study like there will be a test on Friday!
Endpoint Detection & Response (EDR) is what the security industry is calling the next generation (really, this generation) malware protection you might have known as “antivirus” back in the late 2000’s and 2010’s. Today’s cyberthreats bear very little resemblance to the viruses we feared in the previous decades, and as such EDR platforms are built to not only detect known viruses, but also monitor suspicious behaviors and information patterns using constantly updated algorithms to spot possibly undocumented but malicious activity. Where the previous generation antivirus may have scanned your computer once a day and quarantined the files it could identify, EDR platforms are built to monitor all activity constantly and act immediately, up to locking down the affected PC and sending out warning flags to security personnel.
Zero-Trust Networking is a relatively new security concept that upends the traditional concept of assuming the devices on your office network should be, by default, allowed access to that network because those computers are “inside the firewall.” Zero trust security basically states that all devices must constantly prove they are safe and legitimate before they are granted access to any protected information or services. The moment they aren’t able to do so (perhaps because of a malware infection or installation of unauthorized software or failed password attempts) zero-trust systems may restrict access to various systems or applications, the internet, or even access to the device itself.
Security Information and Event Management (SIEM) is a security service that insurance companies are increasingly looking for when underwriting clients. Though the name seems to imply otherwise, this is not about throwing a party for security, but instead this is a platform that gathers the large amount of data that your various technologies and services generate as you and your organization uses them, aggregates that data into massive, searchable database that is then scanned by even more algorithms and humans to spot unusual events, security breaches and other items of interest before they have time to turn into front-page news and business destroying events.
Image by Free stock photos from www.rupixen.com from Pixabay
Part of an occasional series of articles that discuss what I call “The Elephant on the Internet.”
One of the things that is becoming readily apparent with the younger generations is a growing disaffection with established religions. According to a study in 2022 performed by the Survey Center on American Life, religious affiliation has been steadily declining in America for the past 30 years, which is generally around the same time access to the Internet became reliably and affordably available to the masses. Obviously, that’s not the only thing that has risen in prominence since the 1990’s, but you’d be hard pressed to name something else that might even get close to matching the importance of organized religion, and clearly, for each successive generation, it’s overshadowing last century’s opiate without breaking a sweat.
Get to the point, Woo!
Unfortunately for this quotation and the idea it represents, its original author is not viewed fondly by Americans, who, more so than perhaps the previous 60 years, are again struggling through an identity crisis that has been fueled and stoked by religious extremism and class conflict, core elements of our fabled enemy of the Cold War: Marxism. Before the Internet, TV was the stand-in for Religion, but the concept remains as applicable regardless of the actual opiate: people will always seek something to distract them from the struggles of life, various injustices and the seeming indifference of the cosmos towards our personal trials. In case you didn’t notice, Television has essentially been assimilated by the Internet, and our local church is one of many that I know that are adopting Internet platforms like streaming and social media in a bid to fill its pews and remain relevant with generations that are already firmly hooked on the Internet.
Here’s the scary part: unlike Television (and maybe more like Religion, pre-Industrial Revolution), the Internet is not only our opiate from an entertainment/distraction standpoint, but it’s also now our daily bread: we have, unwittingly or not, tied everything of modern life to the Internet. Some of us have bound our very livelihood to the Internet and many do not know how to live otherwise. I’m sure the thought of religion disappearing suddenly isn’t as breathtaking as it might have been 100 years ago, or the thought of a world without TV 50 years ago, but could you imagine what would happen if the internet stopped working tomorrow? Every time the internet goes down (which seems to be frequent these days), a small part of me asks, “What if it doesn’t come back?” or worse, “What if it comes back for some and not others?” That latter question is one we might need to answer sooner rather than later. An increasingly shrinking number of companies and individuals control nearly every corner of the Internet while religiously making sure we’re distracted, and I would be hard pressed to identify if any of them have any sort of recognizable ethical governance or compassion.
Image courtesy of TAW4 at FreeDigitalPhotos.net
If you catch me at the end of a frustrating day, I can sometimes be overheard swearing quietly under my breath about certain technology platforms, especially inkjet printers. Make no mistake, I was a huge fan when they first appeared on the scene – being able to print your own, high-quality photos was a dream come true for amateur photographers and graphic designers, of which I was both when HP released their famous “Deskjet” printer in 1998. Twenty-five years later, HP has managed to twist this innovative hardware platform into yet another moneymaking scam with their inescapable ink subscription platform. At least one judge has heard our suffering, made evident after denying the dismissal of a class-action lawsuit brought against HP for falsely advertising all-in-one printers that stop functioning if ink is low or missing, even if the function doesn’t require ink (like scanning or faxing).
What this means for you
Let’s be real. The chances of a mega-corporation being brought to heel by a California judge are fairly slim, but the fact that one of them stood up to the world’s largest printer manufacturer means that there are people still willing to stand up for consumers, keeping that small spark of hope still lit in this cynic’s heart. In case you happen to be one of the 7 people on Earth who haven’t fallen into this trap in the past 10 years or so, most of the major printer manufacturers have turned their inkjet product lines into the razor and blades model of the new millennium wherein the printers are sold cheaply (sometimes at a loss) because the ink cartridges they require are the real money maker. Up until maybe 3-4 years ago, third-party ink sellers leveled the playing field somewhat by providing less expensive (and usually lower quality) consumables for those printers, but once the manufacturers realized how much money they were leaving on the table, they closed that loophole by locking down the printers to require “genuine” ink and toner. While an argument can be made that using non-genuine consumables gives the manufacturer reasonable justification for voiding warranties or declining warranty service, it’s not clear what justifies rendering them completely nonfunctional because one of your ink colors is low or depleted. Except of course, the pure-profit motive that seems to drive every consumer technology company these days.
That’s enough ranting for one day. If you need some lightly NSFW humor to lighten the mood (WARNING: Foul language ahead!), have a read of @System32Comics on Instagram (I know, I know, “social media bad,” but “independent web comic artists GOOD!”), including one of my all-time favorites of theirs which perfectly illustrates the dystopian world in which we now live:
*In case you were wondering where this title came from. Warning NSFW language within!
Image by pavelkovar from Pixabay