A secret war is being fought in the internet industry right now, but unless you are a die-hard student of all things tech, you might not even know it’s taking place. The more conspiratorial-inclined among us accuse the mainstream media of avoiding coverage of this debate because of their close ties to the opponents of net neutrality, but it’s also a very complex, “unsexy” topic that is hard to explain in easily digestible soundbites.
The principles of “network neutrality” have been the subject of hot debate for over a decade now, but as of yet, there has only been one highly publicized incident of a company actively “violating” the basic tenet of net neutrality, which is that all data on the internet should be treated equally, both in terms of accessibility (can I see it?) and how quickly it loads. For Americans, censorship is a hot-button topic, so the accessibility issue isn’t normally included in the ongoing debate. What’s at stake is whether internet service providers like Time Warner, Comcast and AT&T can charge content providers (NetFlix, Google, Spotify) more because they use so much data, and if those companies refuse to pay the premium, would their bandwidth be throttled, lowering the quality and/or value of the service itself.
Another aspect of this debate is whether the US Government (or any government, for that matter) should regulate the internet like a utility. Both sides of the net neutrality fight are of mixed opinion on this. Some argue this would encourage (enforce) competition in the ISP market, and would allow oversight into ensuring net neutrality was observed, but as many others have pointed out, this didn’t work so well for the telecomm industry the first time we tried this. The other thorny facet of this issue is the plain fact that the internet is not owned nor controlled by any one country, though it could be argued that the US holds a “majority stake” in its creation and continued wellbeing.
What this means for you:
Today, the FCC has presented a plan that many feel completely undermines network neutrality by providing a “regulated” means for ISPs to create “fast lanes” of service into which content providers may opt, and if they do not, presumably their content would be delivered via the “normal lanes”. If no one opted into the fast lanes, this would be a moot point, but as you all know, in business, those who get to the finish line first win, and everyone else, regardless of whether they finish at all, lose. Even the most altruistic of companies (Google maybe?) are willing to get their claws out when it comes to competing, and being slow on the internet is the difference between being Facebook or being MySpace.
In my opinion, network neutrality is a concept worth understanding at minimum, and if you take the long view on improving our civilization, an important principle that should be upheld. Competition is what made America great once, and it is what created the amazing technology we have now, including the internet. Creating tiers of accessibility and quality within a service that most would view as a fundamental need (if not right) might end up creating a version of the internet (at least in America – imagine the irony) that is the antithesis of internet that is spreading information, freedom and equality around the world.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Cable broadband was once strictly the province of residential customers, but over the past several years, the major players in this space have made large in-roads into the SMB market with fast, cheap internet circuits that, on the whole, perform more-or-less as reliably as their more expensive (T1’s) and/or slower (DSL) counterparts. The primary difference between cable circuits and T1’s, the former mainstay of business broadband, is that cable bandwidth is not guaranteed as it is on T1’s, and speeds can fluctuate wildly throughout the day, depending on the neighborhood utilization. Web-based speed tests were born, and from them probably many acrimonious disputes between customer and provider were sprung. Anecdotal research by CNET writer Dennis O’Reilly indicates that not all speed tests are created equal, can be inconsistent and even possibly slanted to favor the companies or brands sponsoring the test.
What this means for you:
A casual run of the tests on Speedtest.net may prove eye-opening, but not necessarily irrefutable proof that your internet provider has over-promised and under-delivered. In the case of a broadband circuit in use at an office, other users and devices will impact the internet speed, and unless you can guarantee your computer is the only device using the circuit, will never be a true test of the circuit’s full potential. Also, even if you were to disconnect everyone from the internet except your test machine, that’s not a true representation of the actual speed you and your co-workers will experience on a typical day. And here’s the catch behind the low-cost business-class cable – very rarely can the cable company provide any kind of cohesive reporting on how your bandwidth is being utilized, primarily because you are using a shared internet circuit. Conversely, with T1’s the higher costs pays for a dedicated, (usually) monitored circuit. Depending on your provider and contract, you may be able receive detailed reporting on utilization at any point typically within the past 7-14 days, and they may even be able to pin-point who on your network is bogarting all the bandwidth. If you have concerns about network or internet performance, speak to a technology professional who can provide you with a much broader, context-based analysis of your bandwidth usage. Don’t rely on a simple website to pass judgement on a critical part of your business performance.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
As a parent, there is perhaps nothing more frightening than to have your child’s well-being threatened, and when that threat comes from a device meant to help safeguard children (and relieve parental anxiety), the impact can have far-reaching implications. Proving that some hackers out there have no grasp of human decency or compassion, there have been at least two separate known incidents of network-enabled baby monitors being hacked and then used to audibly taunt and yell at the toddlers devices were monitoring. In both cases, the devices weren’t hacked in the true sense of the word, but were exploited through a weakness that is common across the internet: easy-to-find default passwords. The parents, not knowing that the passwords should be changed, left the devices configured as they came out of the box, and the baby-screamers used that opening to perpetrate their irredeemable acts.
What this means for you:
In comparison to the above, getting hacked as an adult seems almost laughable, but when you think about it, it’s just as scary. In case you missed my blog about “ratting” and you aren’t feeling insecure enough about your security and privacy, you should have a read. The lesson hard-learnt here is this: make every attempt to understand all the devices you use, especially the ones that may be safeguarding the security, privacy and happiness of your family. Read the instructions that come in the box, and if they are incomprehensible, get on the internet and ask questions, or grab your nearest tech geek to have them review the device for potential security issues. Don’t take for granted that a device manufacturer (or website publisher, or software programmer) has your security and privacy top of mind when they are making and marketing their product. The lure of profit encourages even the most trusted brands to cut corners on occasion, which can lead to scary situations like the above.
I shouldn’t have worried that my special “Microsoft Zero-day Warning” graphic was going to gather dust. Would it surprise you to hear that a serious security flaw has been found in all versions of Internet Explorer up to the latest, version 11? This particular loophole allows attackers to use a specially crafted Flash file downloaded from compromised websites (like the ones linked to in spam, scams and phishing emails) to gain full access to your computer, and will likely lead to a badly infected computer and theft of your personal information. Though there are some band-aids offered by Microsoft, as of now there is no word whether this hole will be plugged by an emergency patch released soon, or on “Patch Tuesday” (2 weeks from now), or even later than that. Because of the severity of the security flaw, even the Department of Homeland Security is recommending everyone avoid using IE until this is fixed. Oh, and remember Windows XP? It won’t be getting patched, so yet another burning reason to switch browsers, and upgrade as soon as possible.
What this means for you:
This flaw is being exploited “in the wild” as you read this, though not widespread yet, and has thus far been used to target government employees and defense contractors. Given how large the target surface is, this exploit is highly likely to spread beyond these focused attacks. Unless your work requires it (or disallows the use of other browsers), you should stop using Internet Explorer for anything except known work-related websites. And if you have to use IE, you can disable the Flash add-on until the hole is plugged. This article from Microsoft explains how to do this, but make sure you use the little drop-down to the right of the headline to switch to the appropriate version of IE for specific steps. Chrome, Firefox or Safari are good alternatives to IE, and who knows, you may find that they can permanently replace IE for most of your web browsing tasks.
One of my favorite bits of advice regarding suspicious emails is to encourage the recipient to pick up the phone and call the company that supposedly sent the email to see if it’s legitimate. Unfortunately that advice isn’t as valuable as it once was. Cybercriminals have broadened their repetoire to include fake customer support numbers for popular internet services, such as Netflix. This particular scam relies on a very common advertising vehicle wherein companies can buy ads that look very much like the top search result in both Google and Bing searches. Potential victims, using a search engine to find the customer support number for Netflix are shown ads with fake customer support numbers, and many searchers mistake the ad for the legitimate search result. The phone call to the phoney help desk quick escalates into the customers computer being “infected” with fake viruses, and soon followed by demands for cash to clean up the compromised computer.
What this means for you:
The internet veterans among you know how to tell the advertisements from the actual search results on Google and Bing, but there are just as many who do not realize there is a difference. This particular scam counts on it, on top of victimizing people who are already in some form of technology distress. If you count yourself among the search-engine savvy, make sure you educate those close to you on how to separate the ads from the search results, as well as showing them how to find the right support phone numbers for important services they use. This may be particularly useful to aging family members who are targeted specifically because of their neophyte technology tendencies and trusting nature towards phone technicians who sound like they know what they are doing.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In December 2013, French security hacker Eloi Vanderbeken uncovered what appeared to be a backdoor programmed into several models of DSL routers. The affected devices were built around hardware manufactured by Taiwanese company SerComm and the finished products came from several well known brands like NetGear, Linksys and Belkin, to name a few. This backdoor allowed anyone with knowledge of the hole and local access to the router (say through a nearby Wi-fi access point) to gain administrative access to the router and could lead to a complete takeover of the network controlled by the device. Now, several months later, this backdoor is not only NOT fixed, but appears to have been purposefully concealed behind the digital equivalent of a secret knock, which once given, opens the backdoor right up to the same level of exploitation as discovered in December.
What this means for you:
If you own a DSL router, you should check this list to see if your model appears on it. If it does, I recommend replacing it immediately. Even if it does not, you should check to see if your router is among the many models that are compromised in other significant ways. If you happen to be among the fortunate that uses a router not on any of these lists, you should still review the security settings and passwords used by the device, and if you don’t know how to program or even access your router, you need to get someone who does to review the device for you. The router is the front door to your home or business network, and you should not trust your security to something that can be easily broken down or opened with a readily available master key.
Image courtesy of creativedoxfoto / FreeDigitalPhotos.net
Security researchers have discovered that certain models of iOS devices that have been “jailbroken” are now being targeted in a malware attack, dubbed “unflod”, that can collect the AppleID account login and password used on that device and transmit it to hacker-controlled servers. While jailbreaking iPhones or iPads isn’t likely to be something the majority of iOS device-users will do (primarily because it voids your warranty), a significant percentage of users (2% in early 2013, or nearly 7 million devices) regularly jailbreak their devices. Even if the actual count of phones vulnerable to this threat is somewhere less than 7 million, it’s still a big enough target for identity thieves.
What this means for you:
If your iOS device isn’t jailbroken, you don’t have to worry about the unflod malware attack. If you have an iPhone 5s, iPad Air, or iPad Mini 2G, you don’t have to worry about this particular attack either, even if the device is jailbroken, as the malware currently in use doesn’t work on 64-bit operating systems, of which the aforementioned devices use. The unflod malware appears to be caught through application of certain system tweaks that can only be applied to jailbroken, 32-bit OS devices, and only then if the tweaks are sideloaded outside of Apple’s own official app store, or Cydia, the “unofficial official” app store for jailbroken devices. In other words, if most of the words in the article don’t make sense to you, you probably won’t be affected by this malware.
HOWEVER, if you’ve ever considered jailbreaking your iOS device for whatever reason, let the above serve as a cautionary tale: be sure you know what you are doing, back up your important device data, and seriously consider whether you really need a jailbroken iPhone. While the above malware attack requires a specific set of circumstances that only affect a very small percentage of users, jailbreaking a device should only be done by someone willing to take on an increased risk of security breaches and with a full understanding of troubleshooting your own device issues.
Heartbleed continues its rampage across the internet. There are too many stories to tell and too little time. Read on only if you have the stomach for it.
- Networking companies Cisco and Juniper have revealed that several dozen models of their hardware devices are affected by the OpenSSL security flaw known as Heartbleed. To see if any of your networking products made this list, Cisco’s advisory can be found here, and Juniper’s here.
- Two sources close to the NSA allege that the spy agency has exploited Heartbleed since it first appeared over 2 years ago.
- Android smartphones and tablets running version 4.1.1 of the Google operating system are vulnerable to the bug. According to Google, this may affect less than 10% of all Android devices, but given that there are nearly 900 million Android OS devices, that still means millions.
- The vulnerability was used to steal 900 taxpayer ID’s from Canada’s Revenue Agency.
What this means for you:
The security implications of the Heartbleed vulnerability are staggering and very difficult to encompass. Now, more than ever, you must keep a close eye on your digital assets and accounts. Confirm with your financial institutions whether or not they were impacted by the bug (most major, commercial banking institutions did NOT use OpenSSL), and if they were, wait until they confirm that they have fixed it before changing your password. Do NOT use any software or websites confirmed to be affected by Heartbleed until they patch the bug, even to change your password. If you do this while the vulnerability still exists, there is a good possibility that hackers can actually see you changing your password and record the new one. Right now, because of the spotlight on this hole, hackers are racing to exploit the panic and confusion, and you are more likely than ever to be hacked. Wait until your websites confirm they have patched the security hole before using them to change your password.
Keep in mind that many, many organizations are still working through the impact this bug has on their technology, and many are just as confused as you might be. There will continue to be a lot of uncertainty and possible panicky responses from company representatives who are ill-informed on their company’s official stance on Heartbleed. The vulnerability affects a technology that is sophisticated and not easily explained, and not even the most eloquent among technology professionals can convey the problem and solutions in easy-to-understand terms. During these uncertain times, constant vigilance is the only weapon many of us have at the moment, so keep your eyes open and your IT consultant on speed-dial!
Researchers from Google and security firm Codenomicon released details yesterday on a staggering security hole in one of the fundamental security technologies used by hundreds of thousands of websites around the world. Dubbed the “Heartbleed Bug”, this vulnerability is found within a code library called OpenSSL – a tool almost universally used in Linux-based webservers, and it may have been in existence for as long as two years before being discovered this past weekend. In a nutshell, this weakness could theoretically allow a hacker to download critical bits of information that are literally the cryptological “keys to the kingdom” of a server affected by this bug. And unfortunately, there is no way to detect an exploit of this vulnerability, nor to determine what, if anything was stolen in the alleged attack.
What this means for you:
You would encounter OpenSSL through the familiar “HTTPS” protocol websites use to transact business online, and sadly, both small and large companies are affected by this bug. (Full Disclosure: C2’s own website had this bug up until late last night when the server was patched). And by large, I mean websites like Yahoo Mail. Essentially, the weakness could allow hackers to scrape a small segment of active, encrypted server memory and read the contents, which could contain just about anything at the time, up to and including passwords or actual cryptographic keys that can be used to decrypt encrypted data sent by the server itself. Alas, because there is no way to tell when or even if a Heartbleed bug exploit is occurring, there’s no way to tell if anyone, or everyone has been compromised in some form by this hole.
Fortunately, the media seems to be grasping the severity of this problem, and has broadcast this story across every website. Unfortunately, this may prove to be a double-edged sword as both server adminstrators and hackers scramble to get to the unprotected server memory first. For any online service you use that utilizes HTTPS or other forms of encryption, you will want to watch for announcements and news from that service: either acknowledging and fixing the bug, or assuring their customers that they are not affected by this weakness. Either way, it’s always a good idea to never use the same password more than once, and to always keep a close eye on your bank accounts and credit history for unusual activity. If you suspect a website may be unaware of this bug, and potentially at risk, send them an email asking about the Heartbleed Bug to make sure they are on top of this very serious issue.
In case you haven’t heard, about a third of the world’s computers are about lose official support from Microsoft on April 8. Any computer running Windows XP will no longer receive updates or fixes to any vulnerabilities discovered after the cutoff date. Microsoft will continue to provide limited support to its XP-compatible security products, like Security Essentials (their free anti-malware product), but that is set to end sometime in 2015. Most antivirus manufacturers have stated that they will continue to support XP-compatible versions of their apps into 2016, but without core patches to the XP operating system, their efforts will be merely fingers in a deteriorating dike.
What this means for you:
Though you may not know it, your company or the vendors that service you may be heavily reliant on XP. Case in point – one of my clients relies on XP workstations to monitor environmental-control equipment (think air-conditioning and heating) and building automation systems, and some of the computers running these applications haven’t been updated for years, and in some extreme cases, the hardware may be close to a decade old. Hardware failure aside, the lack of support for XP going forward will mean those computers will need to be replaced ASAP, and may be a cost you hadn’t considered in your 2014 or 2015 budget.
Windows XP powered computers are likely to show up in places where they are used regularly, but maybe not by a single individual and are thus overlooked during the part of the regular upgrade process: kiosks (lobby directories, ATMs, silent radios), point-of-sale systems, document scanning stations, etc. Make sure you comb through your organization’s infrastructure for these computers, as they will become vulnerability points for your entire operation and could lead to serious security breaches. Unfortunately, rectifying these obsoleted workstations won’t be cheap nor easy, especially if they power critical systems, but in some cases it may be possible to port XP-only applications to Windows 7 and run them in compatibility mode. Make sure you work closely with vendors who supply this older software to determine what, if any, plans they have to bring their platform to Windows 7, and if they have no plans, it may be time to consider a new vendor or service.











