First the country’s largest bank has a huge data breach, and now the nation’s largest bond insurer admits that it inadvertently exposed sensitive customer information through its website. As an example of the old maxim, “Man has no greater enemy than himself,” MBIA, Inc. allowed unfettered access to a subset of very sensitive customer information (think: customer names, account and routing numbers, balances and dividend amounts) via a poorly configured webserver that opened up this data to the general internet. Access was so unrestricted as to allow search engines to index up to 230 pages of information that also included administrative login credentials that could lead to much more significant security breaches throughout the MBIA infrastructure.
What this means for you:
Today’s technology is a resounding testament to how innovative humans are, but equally apt to demonstrate just how fallible we can be. In the digital world, a simple mistake can lead to millions being compromised in life-affecting ways. Most of you aren’t responsible for millions of customers or their data, but imagine if you had to contact your hundreds or thousands of customers with the bad news that “due to a configuration error” their data was leaked to the internet, and probably in the hands of cybercriminals. Whether it is thousands or millions, it would still be a nightmare, especially if your business isn’t big enough to be able to count on the data breach fatigue that has allowed Target, Home Depot and JP Morgan to sail past titanic failures in security. In the end, your security boils down to one thing: humans, not machines. Knowing this, you should always hope for the best (we will get better at this) and plan for the worst: we’re going to make a lot of mistakes along the way!
America’s biggest bank JP Morgan Chase announced last week that it was the latest victim of a major security breach. According to their regulatory filing, data from nearly 80 million customers was exposed in a successful hacking attempt earlier this year. Though the bank was quick to emphasize that our money and most sensitive bits of info such as dates of birth, social security, passwords and IDs weren’t stolen, names, addresses, emails and phone numbers were – all which could be used to facilitate an identity theft, but which aren’t considered protected or sensitive in most cases. While it’s troubling that the country’s number one bank got hacked, what’s even more worrying is that the media, the public, and even Wall Street seemed to shrug it off and carry on.
What this means for you:
Americans seem to be developing what some analysts are dubbing data breach fatigue: everytime we look up, yet another high-profile company or livelihood staple has been hacked. The list reads like a modern family’s honey-do list: Target, Home Depot, Neiman Marcus, EBay, UPS, Apple, Nintendo, Sony, Albertsons, SuperValu, CHS, etc. There have been nearly 600 data breaches reported this year, up 27% over last year, and we aren’t even done with 2014. Fortunately, only a small percentage of the total population have been negatively impacted in a signficant way, though most of us have probably had one or more credit cards get canceled and replaced for fraudulent activity. What this is leading to is the general perception that these data breaches are “bad” only in a vaguely annoying way, and there is not much that an average person can do to protect themselves, “Heck, if JP Morgan can’t figure out how to keep the hackers at bay, how can I ever stand a chance?”
While it’s true you can’t stop JP Morgan from getting hacked, you can make it harder for cybercriminals to hack you: don’t give in to the fatigue – make them fight for every bit they try to steal from you. Change your passwords regularly, and use unique passwords for your important accounts. Keep a close eye on your credit card statements and your credit history. Make sure your all computers you use have up-to-date and functioning antivirus software. Avoid email attachments and unfamiliar websites. What was once considered “paranoia-level” precautions are the new standard of online safety. Considering that nearly half of Americans adults have had some form of their personal data stolen through an online breach, it’s safe to say that “they” are out to get you – paranoia or not.
Obviously stung by the world’s tepid reception of Windows 8, Microsoft announced that the next version of their operating system will be skipping Windows 9 and heading straight to 10. The jump is meant to signify a considerable advancement in the base operating system: this version of Windows isn’t just an incremental upgrade or updated version of 8. Microsoft intends to unify the operating system across mobile devices and traditional workstations (much like Apple is attempting to do with iOS), providing app makers a simpler development environment and presumably a much larger market. Previously known as “Threshold”, Windows 10 won’t be available to the general public until 2015, but preview-builds will supposedly be available starting October 1.
What this means for you:
If you’ve been holding out on upgrading your Windows 7 machine in the hopes that something better than 8 would come along, your prayers (may) have been answered. Early reports suggest that 10 is a mix of the best of 7 and 8, though you may wonder what parts of 8 qualified as “best.” Most gratifying will probably be the return of the beloved Start Menu, but with an 8 twist – the ability to add tiles to the menu (like the ones on the 8 start screen). Another eagerly anticipated feature will be improved window management utilizing the poorly-documented “snap” features of 7 and 8, as well as multiple desktops (something Linux users have had for years).
How should you prepare for coming of the mighty 10? There are rumors that 10 may be free to current Windows 8 users, but Microsoft refused to confirm this. If you have Windows 8 and were contemplating downgrading, you may want to hold off just in the off chance you can get 10 for free. Early reports indicate that Windows 10 will have the same hardware requirements as Windows 8, so older hardware may be left behind, but anything made in the past 2-3 years should be fine. If you want prepare right now, a larger monitor may provide you with the most bang for your buck, as Windows 10 looks like it will make multi-tasking even easier. More windows open equals getting more done, right?
While the world is trying to mop up the mess that Heartbleed left behind, along comes another vulnerability that might be just as big. Dubbed “Shellshock” because it affects the Bash shell commonly found on Linux computers, and (this may surprise you) some Mac OS X servers. “Shells” are the technical term for the user interface of a computer, something you may know as a “GUI” (sometimes pronounced “gooey”, an acronym for graphical user interface). In this case, Bash is a text-based user interface that has been in use on Unix & Linux machines since 1989. What makes Shellshock so alarming is the ease of which could be exploited by hackers, the scope of hacks which could come from exploiting the weakness, and the number of machines potentially vulnerable to this bug.
What this means for you:
Unless you run a Linux or Mac OS X Server, most folks could be affected by this the same way they were exposed with Heartbleed – anyone who uses the internet has probably visited a site or used a service that is run on Linux-based webservers, and a large percentage of them probably use Bash. Security firms have already discovered attacks “in the wild” attempting to exploit un-patched servers, and due to the pervasive access a command line interface has to the computer’s operating system, any number of system compromises can be executed once the hacker has control of the Bash shell. In other words, if an internet service you use gets “Shellshocked”, any data they may be storing about you on their servers could be exposed. For now, unless you are a server administrator, there’s not much you can do, other than inquire with your critical providers whether they have taken steps to protect against the Shellshock vulnerability.
It pains me to write about this, but I think it illustrates a valuable (if obvious) lesson. Immediately following the opening weekend of iPhone 6 sales, a web page began circulating on the internet advertising a “hidden” feature of Apple’s just-released iOS8 operating system update for its mobile devices. Called “Wave” this feature of iOS8 allowed upgraded iOS devices to be charged by microwaving them for 60-70 seconds. Needless to say, this does not work. As a matter of fact, it will destroy your shiny new phone in the time it takes to say, “I shouldn’t have done that.” This type of hoax has been around for quite awhile, in various forms, but invariably someone knows someone who knows someone who destroyed their phone after being taken in by one of these pranks.
What this means for you:
At first blush, I thought to myself, “Really, anyone that dumb deserves to have their iPhone fried,” but as I thought about it, their are legions of folks of all ages, from those old enough to remember when microwave ovens first appeared (1946) to those younger than the appliances they use, that do not know (a) how the technology works, and (b) the dangerous bits that everyone assumes everyone else knows. My daughter doesn’t know that metal shouldn’t go in the microwave – we’ve never had occassion to discuss it. Most of the tech we use on a daily, even hourly basis is well beyond average human comprehension, and the benefits gained from attempting an understanding feel intangible. Instead, we take it for granted, and are schooled on occasion through painful lessons like, “Everything you read on the internet isn’t necessarily true,” and, “Microwaving an iPhone is bad, mmmkay?”
A flaw in an Android open source web browsing app found on nearly half the active Android user base could potentially be used by malicious websites to steal user information. Reported by white-hat hacker Rafay Baloch earlier this month, this bug affects the Android Open Source Platform browser – also known as “Android Browser” – which was the default browser on all Android phones shipped prior to Android OS 4.2, when Google switched the default browser to Chrome. Even then, parts of Android Browser were still being used by other OS applications up until version 4.4, when Google swapped those parts out for Chromium ones. A survey of web browsers used shows that nearly half of all Android users may be using Android Browser actively, which could equate to nearly 40 million potential victims.
What this means for you:
Note that “Android Browser” (with capital B) is the actual name of this program, and should not be confused with the Chrome app, which is also an “Android browser” – as in it’s an app that lets you browse the internet on your Android device. If you still have the Android Browser app installed on your 4.X Android phone, you should replace it with Chrome. However, this may only solve part of the problem, as many other apps that have some form of internet browsing built into it may be using the flawed engine embedded inside the app itself, and there is no clear way to know for sure without asking the developer.
Now that Google has officially acknowledged the bug, a fix is supposedly in the works, but hasn’t said when it will release the update, which will have to be delivered as part of an OS update (ie. going from 4.3 to 4.4) and not throught Play Store. Also, it’s not clear whether that update will trickle down to the many apps that still use the engine to power their own embedded browsers. For now, stick to using Chrome, and be wary of apps that have built-in web browsing capabilities.
After the massive security breach Target experienced in 2013, Home Depot management had the best intentions in immediately planning for a similar attack being directed at them. Unfortunately, they were about only a quarter of the way through their plans to beef up security at their stores when the big-box DIY chain recently announced that they’ve been hacked, with potentially tens of millions of customers exposed. To add insult to injury, its beginning to look like hackers penetrated Home Depot point-of-sale systems as far back as April.
What this means for you:
By now, you probably realize that there’s not much you can do other than what you’ve already been doing: use credit cards, not debit cards, wherever possible, and always keep an eagle-eye on your purchase history. Credit card companies are already doing a pretty good job with their fraud-detection algorithms – don’t ignore those automated calls when you get them. Given the massive number of breaches happening, it’s very likely that your credit card number has been stolen (or soon will be) if you shop at most large chain-based retailers.
As a business, you can take a lesson from Home Depot’s woes: move quickly. Home Depot’s implementation was likely hampered by both logistical complexity (hardware replacement at thousands of locations scattered across a gigantic area) as well as “traditional” corporate bureaucracy. There’s not much to be done for the first part except to take it into account when combating the second part, which while understandable, will lead to disastrous consequences. Cyber criminals aren’t slowed by corporate chain-of-command – don’t let your decision making process expose you to a damaging security breach.
Several large and very popular websites, including Netflix and WordPress will be participating in an event known as “Internet Slowdown Day” on September 10th. The event, organized by several consumer advocacy groups, is being held to raise public awareness in the ongoing Net Neutrality debate and the imminent deadline (Sept 15) for public comments on the FCC’s proposed guidelines that govern how internet service providers operate. Chief among the concerns many have with the FCC’s proposal are the plans to allow ISP’s to establish premium fastlanes for content providers who can afford to pay extra. The easiest way to imagine how this might work is picturing someone paying to jump to the front of the line at a crowded amusement park.
What this mean for you:
In terms of September 10th, the various participants (this website included) aren’t actually slowing down delivery of content. Instead, they will be showing their support for Net Neutrality by prominently displaying various text and images that “simulate” what the internet would be like without Net Neutrality. Though it takes various forms depending on the platform and device on which it appears, everyone is intimately familiar with the “Loading, please wait…” animation. Regardless of how colorful, fancy or soothing it may try to appear, waiting for something to load is always aggravating and inconvenient. If you are still unsure what the fuss is about have a look at this video. It’s not the most objective of presentations, but it does a good job of explaining why Net Neutrality is worth preserving.
Despite what US mainstream media might be conveying with their breathless coverage of celebrity accounts being hacked for their lewd selfies, not all hacking activity is for titillation or criminal exploitation. A duo of hackers, self-dubbed LulzSecPeru, have penetrated multiple Peruvian government websites and servers, defacing webpages and stealing confidential data as a demonstration of their hacking abilities and purportedly to shake things up politically. Among the data stolen were several thousand emails from the former Prime Minister, which revealed the presence of possible undue influence by Peruvian industry lobbies. The sudden transparency nearly forced the resignation of the entire cabinet in a Congressional vote of no confidence which only missed passing by one vote.
What this means for you:
Once again, hackers prove that if it touches the internet (and sometimes even when it doesn’t), privacy breaches are just around the corner, especially when what is hidden is likely to be highly valuable to someone. Though this particular feat was slightly less salacious than the celebrity breaches, the only rule of thumb that can be followed is this: if you don’t want your “dirty little secrets” spread all over the internet, don’t put it on an internet-facing computer, cloud server or mobile device. Information, especially confidential data, is the new currency of the world economy, and as with all currencies, most folks will go to great lengths to amass it, especially if it has the potential to undermine authority or generate wealth. Complete isolation from the internet is impossible for most businesses, but you should review very carefully what information is stored where, and the potential damage it can cause your company if it were stolen or exposed in a security breach.
Though no comment has been forthcoming from Apple yet, the mainstream press has been awash in reports that dozens of Hollywood celebrities had their iCloud accounts hacked over the Labor Day holiday weekend and, as you might have guessed, explicit images and videos have surfaced on the internet. News of the breach first surfaced on infamous website 4Chan where an unidentified individual offered to share the explicit material in exchange for bitcoin donations. Representatives for some of the celebrities confirmed the legitimacy of the material, and threatened legal action against both the hackers as well as the various websites where the the photos and videos started appearing. As of now, authorities are still trying to identify the party or parties responsible.
What this means for you:
Despite the numerous, very public incidents of famous people taking explicit photos of themselves and reaping the consequences (good or bad), everyone – famous and not – continues to underestimate the weakness of technology security on mobile devices and cloud platforms, as well as the fact that erasing a file on your smartphone does not necessarily equate to destroying it permanently. Both iOS and Android devices are designed to upload any photos or videos you take with your device to their respective cloud storage platforms, ostensibly to back them up in case of device loss, as well as to facilitate the ability to share them via the internet. What most don’t realize is the default for both platforms is to allow this, and you have to pay attention when setting up your device at the very start to disable this functionality. If you quickly punch “OK” through this process, you can easily miss this very important setting.
As always, if you need to store important information must remain confidential, cloud storage (iCloud, Dropbox, OneDrive, Google Drive, etc.) is a very high-risk option that should only be considered with eyes wide-open to the worst-case scenario. The terms of service/use for most of these platforms indemnify them from these types of breaches, so if even if your information was leaked through no personal fault of your own (as might be the above mentioned hack), it’s highly unlikely you will be able to hold anyone accountable aside from yourself.











