One month ago we wrote about a wave of attacks powered by compromised security appliances – mostly Asian-manufactured network video recorders – that disabled popular internet services for several days in late October. Despite the growing awareness of the problem due to this incident, this infected segment of the Internet of Things (IoT) is still active and wreaking havoc on a new front. Security researchers are reporting active attacks on routers used primarily by ISP’s Deutsche Telekom (Germany) and Eircom (Ireland) to service their internet customers. The attacks, powered by a new variant of the Mirai malware that was behind the previous IoT attacks in October, exploit a recently discovered weakness in Zyxel and Speedport routers, and a remote management protocol known as TR-069 which ISP’s traditionally use to manage equipment distributed to their customers. According to Deutsche Telekom, nearly one million of their customers may be affected by this exploit, and security researchers have cause to believe that over 40 million devices on the internet may be vulnerable to exploits of TR-069.
What this means for you:
Data is still being gathered on how widespread this problem may be, so it’s not immediately clear if anyone here in the States is directly impacted by this particular exploit. I can guarantee that if we aren’t affected by this one, there are probably several others we haven’t yet discovered. One of the great conundrums tech service providers (like C2) face is that we must rely on the internet to provide support to our clients, and in doing so have to make devices like routers “visible” on the internet, which in turn opens them to attack. As is typically the advice in the face of unknown threats, preparation is your best defense: change default passwords to strong, unique ones. Shield critical devices from the internet where possible through isolation, control and firewalls, and most importantly, understand and document what devices in your organization have contact with the internet so that when an attack does surface, we can quickly root out the source and hopefully prevent further damage. We are to the point now that a malware infection is a certainty in almost any environment, and the difference comes from how well prepared you are to recover from it.
Black Friday and Cyber Monday are upon us, and I know at least half-a-dozen people that are planning to go technology shopping. Many of you are like me and are wise to retailer shenanigans leveraging seasonal enthusiasm and internet hype to separate us from our hard-earned cash, but there are deals to be had if you look hard enough and are willing to battle the crush of humanity at the brick and mortars instead of just doing your shopping online like any sane human being. If you are one of the hardy Black Friday shoppers physically participating in one of America’s finest traditions (definitely sarcasm that time), please don’t let the shopping bug blind you to shady retailers taking advantage of your holiday spirit. In Office Depot’s case, they didn’t even have Black Friday chicanery as an excuse to sell completely unnecessary malware cleanup services on computers that were brand-new in the box.
Someone’s heart was clearly “two sizes too small”
Let’s be clear: big-box retailers sell technology at costs that most providers like C2 can’t hope to match. Their volume and industry position allow them to cut deals on hardware that sometimes seem impossible, and here’s a dirty little secret: those invisible margins are in fact not so thin due to bundled software deals and, in some cases, extended 3rd party warranties. Software manufacturers like McAfee, Symantec, and even Microsoft and Adobe will pay computer manufacturers to ship their software pre-installed on your brand-new computer. Sometimes it’s a convenience – who wants to go shopping for anti-virus software after fighting the crowds for your shiny new computer? But not always, as is the case of the above scam. Office Depot seems to have benefited on both sides of the market by selling computers pre-installed with a questionable anti-malware app called “PC Health Check”. This slick piece of work (more sarcasm!) was finding malware on brand-new computers, prompting concerned buyers to go back to Office Depot where they were sold unneeded “cleanup services” often to the tune of several hundred more dollars.
Are dwindling big-box margins to blame for driving adoption of these scummy sales practices? Probably, but it’s a flimsy excuse to take advantage of your customers. If anything, you are driving them online and to companies like C2 who are more interested in partnering with customers instead of merely profiting from them. As always, caveat emptor. If it seems like a deal too good to be true, it just might not be a good deal after all.
Last week’s election has the media and media watchers doing quite a bit of navel-gazing, especially the ones that predicted a wildly different outcome. Among the companies identified as a major agent of influence is Facebook, and not for respectable reasons; the social media platform has been plagued with fake news stories that spread virally throughout its millions and millions of users, most of whom accept the fabrications and hoaxes as if they were vetted and sourced by actual news organizations. Arguments have been made that these same stories might have had a measurable influence on the November elections.
As has been mentioned before, the Internet is the great equalizer when it comes to “presence”. It allows small companies to appear big while allowing big companies to target niche audiences. With a bit of savvy and determination individuals can create a presence that, at first glance, looks established and trusted. And therein lies the rub: as a rule, the public will only give a cursory inspection to the majority of what they find online. Once it passes the “sniff test”, trust is granted and that presence is essentially on equal footing with everything else. After all, who has the time to find out whether the website or person that published this news story has any credibility or reputation? It’s easier and more comforting for everyone (myself included) to read articles that align with our world views and values. Questioning everything is time consuming and often discouraging, and who has the time for that?
What this means for you:
Obviously I’m generalizing here, and I’m definitely not including my clients who have hopefully been well trained in being vigilant and suspicious of anything they find on the internet. I know you don’t come here to be scolded, but instead to learn about technology. Here’s the start of a thing that may help sort out the truth from the lies on one part of the Internet: a group of college students have written a Chrome plug-in that will use the internet to determine whether a story that appears on Facebook is actual verified news or maybe something a bit (or a lot) less. Don’t get too excited – as you might have imagined, the majority of the world doesn’t actually consume Facebook via desktop Chrome. It’s a mobile world at the moment. Hopefully we will see other tools like this appear for mobile apps, or even Facebook itself take on some responsibility as widely read media outlet. The truth is out there – but you still have to work a little harder to see it.
Unfortunately, stories of ransomware holding companies hostage are becoming so commonplace that reporting on them is almost not worth it anymore. The public is building up the same type of awareness fatigue everyone experienced last year with the numerous data breaches occurring in our most well-known companies and platforms. The latest victim is the county of Madison, Indiana which actually had to shut down all non-emergency operations due to a ransomware infection, shuttering courts and county offices, and sending government employees home. Sadly, it appears they did not have backups of what was encrypted, as they are paying the ransom at the behest of their insurance carrier.
What this means for you:
While Madison County’s lack of data backups is reprehensible (if not somewhat predictable when it comes to government IT budgets), the fact that someone in charge was savvy enough to insure county operations with a policy that would actually pay the ransom (less the deductible, of course) is the relevant lesson. Lest you take the wrong message from this, taking out a cyber insurance policy in place of having proper backups and security is being penny wise and pound foolish. The likelihood of an insurance policy getting you out of a technology disaster pales in comparison to the reliability of a solid backup system and managed security. Your best strategy is to have both insurance and a solid technology infrastructure. The insurance is best used to cover the costs of recovery, which may include cleanup, data restoration, client and customer notifications, and possible breach violation fines.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
More than 30 years ago James Cameron’s Terminator showed us a future wherein unstoppable machines have taken over the world with ruthless efficiency. While they haven’t quite managed the terrifying robotic menace of Schwarzeneggar’s titular character, the machines managed to rise up and ruin the the internet for several days last week. Regardless of how you use the internet, you were more than likely affected by the massive outage caused by a distributed denial of service (DDOS) attack on domain name service (DNS) provider Dyn, which in turn disrupted access to numerous worldwide internet services like Twitter, Spotify and Sony’s video gaming service, as well as impacting thousands of other businesses who rely on Dyn’s infrastructure. Up until most recently, attacks like these were perpetrated by swarms of malware-controlled computers known as botnets. This time around, the massive DDOS attack was led by a vast swarm of internet-enabled security devices, mostly webcams, DVR’s and NVR’s. These devices are part of the growing “internet of things” (IoT) and the scale of the attack enabled by only a fraction of the IoT has many in the industry (including yours truly) very concerned.
What this means for you:
The rise of cheap, easy-to-install webcams and NVR’s have led to their proliferation throughout the business and residential world. The malware used in Friday’s attack was designed to target flawed firmware from a Chinese manufacturer that is used widely in this class of device – so widely that the firm has actually issued a recall of some devices sold in the US, wherein the majority of the attacks were focused. It’s unclear how many undiscovered or undisclosed devices are also impacted by this particular malware variant, or how many other dormant weaknesses lie in wait, either already discovered and held close, or just waiting for that next inquisitive hacker to discover and then exploit. Even now, after years of loopholes, exploits and quality control issues discovered in major brands (Galaxy Note 7 is only one recent example), manufacturers continue to race to the bottom in costs, often cutting corners that make their devices insecure and even dangerous. Mass manufacturing and distributed design enables companies to produce and sell tens of thousands of devices around the world, but it could also results in rapid, wide-spread distribution of sleeping terminators, just waiting to rise up against their owners at their master’s command.
Image courtesy of Geerati at FreeDigitalPhotos.net
It’s one of the oldest cons in the book: convincing a mark that they’re sick and then selling them a handy cure for the low, low price of “You just got ripped off.” Despite this sort of scam being perpetrated on the internet for years now, it’s still bamboozling lots of people, according to a recent court case brought by the FTC against a US-based company that has tricked computer users into purchasing millions in fake technical support to “fix” their computers. The scammers find their “marks” via fake pop-ups warning users that their computers are infected or performing poorly and provide a prominent phone number to call to receive tech support from a “certified” Microsoft or Apple partner (of which they are most definitely not). Once the victim calls, they are essentially tricked into believing they actually need support through carefully crafted application of legitimate tools and deceitful interpretation of events and warnings that are commonplace and not necessarily indicative of an actual problem. Once the scammers get your credit card or bank account info and get paid, they will deliver the service in the form of tech support “theatrics” which is more than likely just a script that looks impressive, but doesn’t actually do anything or might even damage your computer further. It’s also highly likely your payment info gets sold on the black market for additional profit.
Spread the word:
Clients of C2 Technology are typically savvy enough to spot this con a mile away, or at a minimum, have developed a healthy sense of skepticism to pick up the phone and call for a second opinion from someone they know and trust. It may not occur to you that, as a tech-savvy professional, you might actually be that trusted advisor for your family, friends and colleagues. Even if you don’t feel like a tech expert, you know enough to warn the people around you about these sort of scams, and you definitely know an expert who is always willing to take their call. At minimum, you should foster a healthy skepticism in the more naive or gullible loved ones, especially the ones that always seem to fall for the most obvious scams. This isn’t just for their benefit, it serves you as well. The more people around you who stay safe, the less likely you are to get infected. Thanksgiving dinners are a lot more enjoyable when you don’t have an family-spread malware infection on the table.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Just under a month ago, Samsung announced that it was recalling/replacing all Galaxy Note 7 phablets shipped prior to early September due to exploding batteries. Roughly two weeks later, news broke that Yahoo more than likely allowed US government agencies full access to the entire breadth of all email accounts hosted by Yahoo, while the fading tech giant was still reeling from a reported data breach and the pending sale to Verizon. Unfortunately both companies are back in the news this week and not for good reason. Samsung’s replacement Note 7s with the less explodey battery, has – you guessed it – started exploding again, even putting a customer in the hospital. This incident and at least 2 other reports of flaming phones has prompted Samsung to halt production on the Note 7, and all major US carriers will no longer sell the device. Yahoo’s troubles continue as well: the now infamous email service has suspiciously dropped the forwarding function from its service, making it more difficult for people to move to another provider. When you combine this mysterious change with the lawsuit against Yahoo’s CEO Marissa Meyer, Yahoo is looking less like a technology leader and more like a troubled company struggling to survive.
What this means for you:
Companies of this size typically have resources enough to pick themselves up and shake off these types of events. Heck, breaches are so commonplace now that most of the time consumers just shrug and carry on. Despite various widespread problems with iPhones (Antenna-gate, Bend-gate, Touch Rot) Apple still manages to sell lots of units every year. While Samsung will undoubtedly take a huge reputation hit in the mobile market, the Korean megacorp itself is so broad that it’s hard to image the Note 7 sinking the entire company. If anything the repeat failure just highlights the complex manufacturing chain that goes into producing our smartphones and will perhaps push Samsung and its competitors to look for safer, better battery solutions.
Yahoo is looking a lot less resilient than Samsung: it doesn’t have the broad product base to fall back on, and one might argue that its most valuable asset – the millions of people who still use Yahoo Mail – is in jeopardy at a time when the company can least afford it. Whether the disappearance of mail forwarding was ill-timed or carefully calculated, the long-term optics look worse than a smoking phablet. Last week’s news of Yahoo’s compromising relationship with US intelligence agencies should have been enough to encourage you to retire your Yahoo account, and their current strategy is not the Hail-Mary play they need to stay in the game.
The good ship Yahoo is still battling troubled waters on its journey to the safe harbor of a Verizon purchase. Reuters has just released a massive bombshell that may blockade if not outright scuttle the $4.8bln deal: two former employees of the beleagured media company have alleged that Yahoo complied with a classified directive from a government agency to directly surveil the millions of email accounts hosted by Yahoo in 2015. According to the Reuter sources, the decision to open Yahoo Mail’s kimono was made behind closed doors, excluding Yahoo’s then Chief Information Security Officer, who apparently resigned because of this incident.
Whiskey Tango Foxtrot, Yahoo?
Normally, I don’t urge folks to get out the pitchforks and torches, but on reading this I actually used language not normally heard in polite company. Thus far the government agencies named are declining comment. If the allegation proves accurate, I’d say Yahoo customers had their Fourth Amendment rights violated and thoroughly trod upon any trust they might have had left with their still substantial customer base. Coupled with the recent massive breach they experienced in 2014 and the debacle that was their conversion to a new email platform in 2013, it’s no wonder Yahoo has gone from an Internet powerhouse to second-tier media company up for sale. If you are still using Yahoo as a primary email provider for work, you should stop doing so immediately, not only for security issues that they can’t seem to get ahead of, but now for serious breaches of privacy and trust.
It’s every business owner’s worst nightmare: dissatisfied customer takes to the internet and writes a scathing review on Yelp, possibly hurting new business or scaring away potential clients or even investors and vendors. Worse yet, the review itself may be fabricated, and unless the bad review breaks Yelp’s posting rules, there is typically very little the business owner can do except to respond to the reviewer in the same forum. This may change now that a recent court case has found its way to the California Supreme Court. Prior to the appeal that landed it in the upper court’s docket, two lower judges ruled in favor of the plaintiff who successfully sued to have a bad review removed from Yelp as defamatory.
What this means for you:
Before you hit the “Release the Lawyers!” speed dial on your phone it may be worth waiting to see what the Supreme Court has to say on this. I have spoken with many folks who are sympathetic or even empathetic to the plaintiff’s side in this case. They feel helpless to counter what they see as spiteful and vengeful reviews on Yelp and other review sites, especially when there seems no recourse to address the customer or have dishonest or misleading posts removed or even reviewed for accuraccy. As you can imagine, Yelp and several other Internet companies are watching this very closely. According to them, it could lead to a very chilling effect on crowd-sourced reviews, and if the hyperbole is to be believed, could even impact free speech. At minimum, we can hope it will lead to innovation, new thinking or a cultural shift that will add accountability to the type of free speech that the internet enables, and possibly even diminish the size of the “soap box” it grants to the more radical or dangerous fringes of the internet.
It’s taken many years, but it would seem that the US business world has finally agreed that throwing old technology straight into the trash is unsafe and bad for the environment. To capitalize on this, an entire cottage industry of electronic waste (e-waste) recycling companies have sprung up over the years as our rate of technology consumption increases. Unfortunately, though they may promise it in their marketing, an investigative study has found that as much as 40% of e-waste processed through these companies is actually illegally and improperly disposed of through shady overseas outfits that buy the e-waste for pennies on the pound, scavenge what precious metals they can, and then dump the rest in toxic landfills. Contrary to popular belief, e-waste recycling is costly to do properly, and not profitable at this current time.
What this means for you:
While you should still feel good for not just throwing your e-waste into the trash, you may want to scrutinize the vendors or organizers of any e-waste events that you use, especially if they promise “secure disposal” of items that may contain data, like old hard drives or mobile devices. If the vendor in question isn’t handling the actual recycling of the materials it collects, it’s possible they are reselling the e-waste to cover their costs (maybe even make a small profit) to another firm that is definitely not “green” in any sense other than profiteering.
There are two types of e-waste certifications recognized by the EPA – “R2” and “eStewards” – both of which are administered by nongovernmental organizations, and despite the certification and oversight, both seem to have bad apples, though eSteward companies are held to stricter standards and appear to cheat less than their R2 or non-certified counterparts. While you can’t be expected to control or direct the morality of these companies or the certification process, your scrutiny and attention to this issue will hopefully lead to less hazardous waste being improperly disposed of in overseas landfills.










