As if the mad rush to “web-ify” everything wasn’t bad enough, McAfee’s security blog now brings us a new, shining moment in Internet history: it is now possible to visit an easy-to-use website to host your own ransomware campaign for the low, low price of free. A group of cybercriminals have put together a service that will provide you with the malware that locks up your victim’s files, as well as the means to collect the ransom via bitcoin through their consolidated platform. The service even includes a dashboard that summarizes your criminal activity: number of computers infected, number of people who paid the ransom, and how much you’ve made so far. It all sounds like something the Onion.com would dream up, but sadly, it’s real. Would-be cyber-extortionists have to pay 20% of their take to the service owners, which could amount to some serious cash. Over the course of the past few years, experts estimated that tens of millions have been made on previous ransomware campaigns. Like any good money-making model, these enterprising individuals hope to amass a fortune on the backs of aspiring cybercriminals.
What this means for you:
As I’ve said in previous blogs, cybercrime is big business now. Though McAfee’s bright light of publicity may help shut down this particular iteration of mass-market ransomware services, you can bet dozens more will follow suit, if they aren’t already up, running, and better hidden. The internet has the ability to magnify anyone’s capabilities by an incredible degree, even more so when someone with savvy and no scruples turns their sights onto the vast, largely naive internet populace. The pitch for this particular service is that “anyone” can set up their own ransomware campaign, and you can bet they’ll do a booming business until the good guys shut them down. On a more reassuring note, this particular platform only provides the means to start and run a ransomware campaign. It would still be up to the would-be extortionists to actually target and distribute the malware to their victims, a task which is surprisingly hard to do in a way that won’t get you caught. However, is it so hard to imagine someone else setting up shop right next door to the ransomware folks, where, for a “small percentage of the take” they would provide those targets? Imagine if these enterprising criminals decided to form pyramid schemes on top of these “business models”. I imagine once attaining that level of vicious cannibalism, the whole thing might collapsed in on itself under the weight of sheer backstabbing and profiteering, but in the meantime, we might drown in a crushing wave of malware. Sadly, there’s no magic bullet, but there are three things you can do to better protect yourself against the coming storm: a good firewall on your perimeter, solid anti-malware on your computer, and an up-to-date offsite backup of your data. Those things plus constant vigilance (and a little paranoia!) will go a long way towards staying safer in these more dangerous times.
A little over two years ago, I wrote about a hacker who was able to demonstrate hacking and takeover of an airplane’s flight control system, and suggested that it may be awhile before someone was able to execute this same type of hack “in the wild.” Unfortunately for everyone, it’s happened sooner than we might hope: notorious hacker Chris Roberts of One World Labs has claimed that he managed to penetrate an airplane’s flight control system while it was in flight and was able to temporarily alter the plane’s trajectory by overriding controls on a wing engine, forcing the plane to fly sideways for an short period. After joking via Twitter about his hacking activities on an April flight, Roberts was detained by the FBI and his equipment seized. According to affadavits published of the FBI interviews with Roberts, it appears as if the FBI believes Roberts is in fact capable of hacking planes while in flight.
What this means for you:
I’m actually quite surprised this hasn’t happened sooner, and with much more horrifying results. On the scale of expertise on technology security, I consider myself to be only moderately well-trained and informed, but it doesn’t take a expert to comprehend why this is going to be an increasingly dangerous problem. Because all security systems are essentially designed by humans, they will inherently be flawed. Hackers count on this weakness and are able to exploit it over and over again. In the case of the above alleged hacking incidents (yes, there was more than one), Roberts exploited a hardware weakness – he was able to physically connect his equipment to the plane by cracking the inflight entertainment box under his seat – and a software weakness – he used default passwords to circumvent the security of the plane’s control systems. In both cases he would have been foiled if the people who designed and implemented the systems had taken more care in their work. According to Roberts, his actions are meant to goad the industry into taking security more seriously, and maybe now that the FBI seems be backing his claims, something might get done.
Overall, security is an uphill battle, and requires more energy, money and expertise than most companies can field at any given time. Like insurance, many folks have a hard time spending money to secure against something that might happen. In this case, like the other inevitabilities we insure against, accepting the fact that you will be hacked (even if you already have been) at some point in the near future, will help you frame your investments in security in a more realistic and practical perspective, and doing something proactive will often put you ahead of your competition. Embattled industries like airlines should definitely keep this in mind.
For those of us that spend a good part of the day stuck in SoCal traffic, Google’s self-driving car offers a tiny glimpse of future salvation. We’re a long way off from streets filled with autonomous autos, but Google’s cars have driven 1.7 million miles so far, have only been in 11 accidents, and apparently humans were at fault in all cases. This really shouldn’t come as a surprise to anyone with any measure of self-awareness and experience with today’s technology. After all, technology provides us with a means to amplify our own innate abilities and allows us to achieve objectives that might be beyond our unassisted reach. It also grants us the ability to fail faster and sometimes in a spectacular way.
What this means for you:
My newer clients are frequently surprised to hear me say, “Sometimes, less technology is better.” It sounds like a butcher preaching a vegan life-style to his customers. The main reason I say this is not because I’m a Luddite (far from it!) but that I often come across instances where someone has become temporarily blinded by what I call the “Shiny Factor” and has adopted or implemented a technology that complicates rather than simplifies their original intent.
A prime example of this are clients that purchase software or even new computers to deal with an increasing volume of email, when the simpler (but not necessarily easier) solution would be to reduce the volume of email. Purchasing expensive firewalls won’t prevent infections caused by poorly-trained employees. Faster, more powerful computers won’t fix broken process automation or buggy software, nor will a faster internet connection necessarily result in more productive workers. It’s a dangerous, slippery slope, and can become self-perpetuating spiral of expense, frustration and complexity. As the old adage goes, the cure may end up being worse than the disease.
Are we doomed? Only if we continue to ignore that technology is created to serve us, and not the other way around. Technology is not meant to replace humans, but to amplify us. It’s up to us to make sure that the good is amplified and the bad minimized wherever possible, and sometimes to solve problems or get work done the old fashioned way – with a little elbow grease, human ingenuity, and common sense.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Over the past 2 years, I’ve seen the rate of malware attacks climbing at an accelerated rate. This is due largely in part to the evolution of malware as a lucrative crime combined with sophisticated, easy-to-use platforms that are designed for and marketed to non-technical users. Previously, successful viruses and their code were jealously guarded and the purview of an elite “cadre” of hackers who would advertise their creations as badges of honor. Now these same cadre of malware programmers are racing to bring product to a highly competitive market. Malware is a business, and business is good.
What this means for you:
It’s not just an assumption that you will be targeted by malware. It’s most likely a fact. Malware makes its handlers money by casting the widest net possible, which means everyone is a target, and the attack platform that can prey on the most victims wins. With that in mind, the safest mindset to adopt is that your technology will be or already is under attack, and you must gird yourself for the onslaught. Here are 3 ways to prepare, plus one less-obvious way that may or may not be practical for most organizations:
- Install a good firewall on your network periphery. Though most ISP-provided routers come with some basic firewall functionality, your business or organization should be protected by a professionally managed firewall that can provide what’s known variously as “Unified Threat Management” or “Gateway-based Defense”. In a nutshell, these devices sit on the entry point of your organization’s internet connection and monitor all data going in and out, scanning for malware, hacking attempts, objectionable content and spam. This is your first line of defense, and if maintained properly, can protect you from numerous threats 24/7/365.
- Use effective malware protection on your vulnerable technology. Even assuming you have some sort of protection on your network periphery, there’s still plenty of ways for malware to get inside your network, and once they are “inside the gate”, your computer or server’s only protection from a really bad day is the anti-malware you’ve installed locally. This software should have some form of active protection (always-on scanning, port blocking, etc.) and not something that has to be run in order to detect or cleanup a malware incursion. If malware isn’t detected and handled the moment it approaches your computer, it’s too late.
- Back up your data. Sad as this fact is, no anti-malware is 100% effective. Your machine will get infected and at that point, the only way you don’t lose this battle is if your data is backed up and isolated from infection. This means offsite backups, with at least 7 days of historical versions just in case the backup software unknowingly backed up infected files (which it can and will do if you don’t catch it quickly enough).
- Disconnect from the internet. If the above 3 items are beyond the reach of your organization for either budgetary or technical reasons, this rather drastic alternative is very effective. Even though it may be impractical for most companies, approaching this problem from this perspective may lead to some creative changes in operations and employee behavior. As a simple example: block access to social media sites on work computers, but provide separate, isolated wifi for mobile devices that allows them to scratch that itch on their own devices.
Image courtesy of graur razvan ionut at FreeDigitalPhotos.net
Lest you think the tech giant missed having a finger in this particular pie, Google surprised no one by debuting their own wireless carrier service earlier this week. Though the service is invite-only at the moment and only offered on Google’s own Nexus 6, they’ve negotiated a deal with both Sprint and T-Mobile to piggy back on their existing, nation-wide infrastructure to create a coverage area without having to build it. According to Google, the limited launch of this service is more of an experiment as opposed to a direct challenge of reigning champs ATT and Verizon. The major differentiator to their service? A low-cost, pay as you use it, data plan with data tethering, wi-fi calling that can also be used from other mobile devices such as tablets and laptops.
What this means for you:
Unless you have an invite in hand, you can’t jump onto the Google Wireless bandwagon yet, and if Google stays true to the “we’re just testing the waters” mantra, maybe not ever. But if Google can deliver a solid service for a fraction of the price that the big 4 carriers are charging now, it’s going to have repercussions on the entire mobile landscape. As they’ve done with Google Fiber, this particular foray into the bloody wireless markets is an exercise in forcing a change in the status quo where major carriers are squabbling over how to charge consumers more for less service. However, Google surely has an agenda that includes profit (they are publicy held), and you musn’t forget that the largest revenue stream for them is advertising and data mining. The mad scramble for dominance in the mobile data market is about as close as we’ll ever get to seeing a modern gold rush, and you can bet Google has been preparing to stake a claim since before you and I even knew there was “gold in them thar hills!”
Though it may sound enticing to some, “Mobilegeddon” is not the sudden annihilation of all mobile devices. Rather, Google is releasing a new search algorithm that will impact how mobile users find websites. For those of you who aren’t up on your search engine technology, Google uses a complex, closely-guarded formula to calculate its search result rankings for all the websites it indexes. The last major update to the algorithm, entitled “Panda“, was released in 2011, and was designed to reduce the impact of gaming search engine ranking through content manipulation, a specialty of many less-than-honest SEO companies that sprang into existence in the last decade. Panda impacted about 12% of existing websites, most of them content farms designed to leverage popular content and other nefarious SEO methods to get to the top of search results.
What this means for you:
This time around, Google is focusing on providing better results for smartphone users by favoring mobile-friendly websites over those that display poorly on small screens. If you don’t drive business through your website, this may not be a high priority for you, but it may surprise you to know that over half of all internet traffic is from mobile devices, and nearly 40% of search is done on smartphones. Having a website is essentially a must-have for any ongoing business or organization, and if your website makes a poor showing to over half of your visitors, it will have an impact on your brand. How do you know if your website is ready for Mobilegeddon? You can punch in your URL to a website developed by Google to determine whether your website is mobile-friendly. Unlike Google’s last algorithm change, this one should start impacting rankings as soon as 72 hours from launch. Lest you think you are the only one caught out in the cold with this change, there are several internationally recognized brands whose sites do not pass Google’s mobile “sniff test.” One advantage you may have over corporate behemoths: less red tape and meetings will be necessary to make the required changes to your website, also you happen to know someone who can provide strategic advice in this area as well as assist in the website redesign. Give us a call if you need to “mobilize” your website!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
If you are one of the many folks who work for a company that doesn’t have full-time IT staff on hand to keep your technology running smoothly, you might feel like your options for troubleshooting or resolving tech problems are limited. Depending on the severity of the issue, you may be able to rectify many minor/transient issues with some simple practices that we “experts” use on a regular basis. Obviously these techniques won’t work for things like a crashed hard drive, malware infection, or security breach, but they are useful to know, and can save you time and money.
- Reboot – It may sound clichéd, but more often than not, many of my clients forget about rebooting. Even though Windows 7 and 8 are supposedly designed to work without needing frequent reboots, if your computer is acting sluggish or abnormally, try a reboot to see if the problem goes away.
- Check Task Manager – On any Windows machine, XP and up, hitting Ctrl-Alt-Del and checking out the list of running applications in Task Manager may be an eye-opener. From there, you can see your Memory and CPU usage. If a program seems to be hogging one or the other (or both), try closing that application to see if performance returns to expected levels. Recent versions of Google Chrome are notorious for being memory hogs, and will hold at least one process open for each tab you have open on your computer. If something says “Not Responding” it’s possible the app itself has crashed. “End task” on apps that are not responding may return your computer to temporary usability. Save what data you can and reboot. If CPU and/or Memory usage remains high after a reboot and closing all applications, you might have a malware infection. Skip immediately to #5 or call a professional.
- Check your network connection – so many apps rely on the internet that unpredictable things may happen if your network connection is unreliable. Check your physical Ethernet connections, Wi-fi signal strength, bandwidth speed, etc. If something is wonky with your internet, your computer may manifest that problem in unexpected ways. If bandwidth seems unusually slow and you aren’t the only one using it, someone else on the network may be hogging it up, either intentionally (Game of Thrones stream?) or unintentionally due to a malware infection.
- Reboot your router or access point – depending on who’s impacted, and whether you are feeling confident on which thing is the router, AP or switch, cycling the power on your core infrastructure may clear up a lot of strange behavior. That’s right, even your home office has a “core infrastructure”! Just make sure you warn everyone affected (officemates, employees, family, etc.) that you are taking the “reboot mantra” to the next level. Not sure which one is which? Make a call to your ISP help desk or your local, friendly technician at C2 for some guidance.
- Run a malware scan -assuming you are not a managed services client of C2 (we take care of this part for you!), fire up your anti-malware software and run a full scan. Didn’t find anything? Get a second opinion and run Malwarebytes. Want a third opinion? Try herdProtect. Not sure if you have anti-malware software installed? Might be a good time to call us for a checkup.
Many garden-variety Windows issues can usually be nipped in the bud with the above 5 practices. Practicing safe-computing will keep you out of harm’s way for everything else. As always, avoid attachments, don’t click strange links or popups and practice constant vigilance to keep your data safe!
Several clients learned some hard lessons this week. First and foremost, no one is immune from malware, no matter how much money and time is invested in security. If you still don’t believe this, you might be surprised to know that the White House was hacked recently. Granted, I made fun of government-run websites and their pitiful security, but one has to imagine that the Secret Service takes POTUS security very seriously, and yet Russian hackers seemed to be able to access sensitive information by fooling someone through a phishing email. Yes, email. That indispensable tool that we can’t live with and can’t live without. While we are frequently the agents of our own demise (surely this email from this overseas lawyer about a long lost inheritance is real this time), we can also be the agents of our own salvation as well.
Let me testify!
Above all, stop opening attachments sent via email, and likewise, look for ways to stop sending attachments via email. There are tons of secure file sharing options out there (keep in mind we don’t consider the free Dropbox among them…yet), but as long as the business world continues to rely on attachments to get things done, cyber criminals will exploit your willingness to open things sent to you via email. Resist the urge to open attachments even if you recognize the sender, and verify via phone if they indeed sent the attachment. Here’s an important clue: financial institutions, law enforcement, government agencies and just about any large consumer-serving company will not send you an attachment in order to get you do something or notify you of important information. FedEx nor UPS do not send you delivery confirmations as attachments. Neither your bank or credit card company will send you an attachment asking you to open them. If you receive what you believe to be a legitimate attachment from a company with which you do business, call them to verify they sent you that file. Ninety-nine times out of one hundred, they did not send that file. I guarantee that you will receive emails that look and read 100% legitimate, but will in fact be clever attempts to trick you into nasty malware infection. Even the best anti-malware software won’t be 100% effective all the time. The criminals who send you attachments anticipate you have some form of protection installed, and their payloads are designed to turn that “foot in the door” into a full-scale home invasion, anti-malware or no.
The best management coaches say to always pair a “stop doing this” with a “start doing this”. Are you backing up your data? If not, you need to start, right now. If you are, have you checked your backups lately? Tried restoring a file? Are your backups stored offsite? One of the clients mentioned above was thoroughly decimated by the infamous cryptolocker malware. Not only did it take out a principle workstation and all data, it also kidnapped their server data and mangled their backups, primarily because they were onsite and not designed to go back more than a week before being overwritten. Cryptolocker is infamous for hiding out for days before making its presence known, precisely to destroy local backups in this fashion. If you are using proper offsite backups, either through rotating media offsite manually or by using a cloud-based platform, this form of infection is annoying but survivable. Do yourself a favor and review your backup strategies immediately!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
On April 24, Apple’s latest gadget will be available for sale. Their smartwatch will put the hurt on your wallet to the tune of at least $349, and if you happen to be made of money, you can buy the solid gold version for a cool $10,000. While the Apple faithful have already set aside their regular tithe to their silvery master, many, many more have yet to see a need to invest in this bit of technology. Believe it or not, smartwatches have existed in some form for decades but essentially have languished in relative obscurity until 2013, when most major consumer electronics companies began to openly develop and market wearable technology. Even still, most Americans scorned the earliest progenitors of today’s smartwatch, primarily because of clunky design and poor integration with existing phones. But can Apple turn nerd fashion into the new hotness? If anyone can, Apple can, but they still have some hurdles to clear.
Before you buy one, ask yourself a hard question: Do you need one, or do you want one?
Make no mistake, even the $10k Apple watch is no Rolex. In terms of long-lasting value, it may not even measure up to a more humble Seiko or Timex. Whereas a decent quality “regular ole watch” will continue to function for decades or more, your smartwatch is likely to be much less useful in less than 2-3 years, and might actually be end of life in five, much like today’s smartphones. And let’s “face” it, smartwatches are huge on the average wrist, and if you have delicate bone structure, your wrist is going to look like this millennium’s Flavor Flav. For most folks, this is a fashion don’t, Apple shiny or no.
For reasons why you might “need” a smartwatch, consider how you use your smartphone. For the on the go professional, especially those that keep their smartphone in a bag or deep pocket, being able to see who’s calling or texting without having to dig for your phone could be very useful. For someone like me who frequently has both hands tied up with handfuls of computer guts (figuratively and sometimes literally), being able to quickly glance at my wrist is infinitely more convenient than stopping what I’m doing to fetch my phone. For the physically active among us, Apple’s fitness tracking capabilities have some promise, especially if it means eliminating a less versatile device from our daily carry. To top it off, the promise of Siri literally being your right hand (or left) may be sufficient to cement this deal.
If the promises of this last paragraph overshadow the drawbacks of the preceding one, you may be able to graduate your “want” to “need” with minimal guilt. Don’t kid yourself – you are doubling your technology gadget tax by investing in this latest trend. At best, you may be able to alternate upgrading your smartphone and smartwatch each year, but until they can figure out how to cram everything we’ve come to love about our smartphones into an elegant watch or snazzy (and surreptitious) sunglasses, you’ll need both to take your geek chic to the next level. And here’s the real gotcha of nerd high-fashion: last year’s models are soooo passé.










