Following recent attacks by hacktivist group Anonymous on various government websites, the Department of Energy has reported that it too has been hacked, and personal information on hundreds of its employees has been compromised. The DOE has been relatively tight-lipped about the breach, and it’s not immediately clear whether this may be related to Anonymous’s current campaign “Operation Last Resort” which aims to reform computer criminal laws in the wake of internet celebrity Aaron Swartz’s suicide. In the case of the Anonymous-led attacks, various government websites have been completely taken over by hackers and used to post derogatory videogame parodies and login credentials for hundreds of banking executives.
What this means for you:
The gloomiest of the doomsayers are saying that in the near future, there will be only 2 types of businesses: “Businesses that have been hacked, and ones that don’t know that they’ve been hacked.” We’re not there yet, but some analysts believe we’ve hit an inflection point in cyber security where the criminals are now ahead of the business world in terms of sophistication and advantage. If the above is any indication, many government institutions are probably even further behind businesses in terms of security. Does that mean it’s time to pack up all that technology and return to paper ledgers, brick and mortar storefronts and hand-written checks? Not yet, but the businesses that take an aggressive stance towards tightening up their ships will stay well ahead of the competition, especially when those looser ships start to spring cyber-leaks.
What’s the first step? Find out if you have an information security policy. If so, make sure it’s being enforced. If not, call me right away to start talking about how to get your company’s technology battened down for the coming storm.
Yesterday I posted about the real possibility of cybercriminals and spammers using Facebook’s upcoming “Graph Search” as a means to easily sort out and research potential targets. The Electronic Frontier Foundation, ever on the lookout for our privacy (even when we won’t do it ourselves), has put together an excellent guide on all the settings you should review in Facebook to make sure the data you want to be hidden from the general public stays that way.
What this means for you:
If you’ve ever taken a stroll (or even a dedicated walkthrough) of Facebook’s privacy settings, you probably gave it up for being unnecessary and complicated. Hopefully my previous article made you reconsider the “unnecessary” stance, and now EFF gives you a step-by-step guide to setting the privacy settings to what you want them to be. The only thing better would be having me sitting with you personally to go through each step and doing it for you. I could totally do that if you like, but while I was doing it, I’d be giving you a (possibly boring) lecture on why you should be learning how to do this for yourself, etc. Your privacy and security is important enough that you should understand exactly how Facebook shares your personal information. We are entering a period of time where getting duped by hackers is moving from nuisance to an actual threat on your livelihood and possibly even your personal safety, and the best defense is knowledge and preparedness.
Remember the announcement of Facebook’s new “Graph Search” feature? No? I don’t blame you. Until most folks can get their hands on it and see what it can do with data from people they know, it’s hard to envision how Facebook’s “innovation” is important. Security analysts, of course, eat and breath this stuff, and as they are trained (and expected) to do, they have extrapolated how this powerful social media search tool could be put to nefarious use. Christopher Hadnagy (Social-Engineer.org) put it succinctly:
Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.
In case you aren’t aware how “phishing” works, the core conceit is focused on fooling the reader into clicking on links and providing confidential information to a counterfeit website. Phishing is most effective when the target gets an email that seems legitimate, e.g. using graphics and fake address from bank with which they already do business. Instead of having to rely on statistical probability, phishers can now target with ruthless efficiency any data available through Facebook’s Graph Search.
What this means for you:
If you are an avid user of Facebook with a tendency to openly share just about everything through social media, your data is already out there and viewable. If you are a casual Facebook user, but haven’t taken the time to adjust your privacy setttings, your data is already out there and viewable. Nothing has changed in that regard. However, up until now, you had a very, very thin layer of protection through the concept of “security through obscurity”. In other words, the sheer, overwhelming amount of data that is available greatly reduces your chances of being randomly identified and targeted. Think of it as wandering into the Library of Congress where the only way to find something was to know exactly what it was called and where it was located physically in the building.
Facebook’s Graph Search gives anyone the ability to search for anything in Facebook using a natural language query like, “Show me all the books on 19th century bridges built in the US with wood.” If those books are in the library and are viewable to the public, then they would be delivered in a tidy page that could be reloaded and refreshed whenever the search was needed. Here’s the key: the data is viewable only by those to whom you’ve granted permission to view. If you allow the public to see your contact information and “Likes”, that data will be viewable by not only your friends, but the internet, including the aforementioned phishers. If you haven’t reviewed the privacy and security permissions on your Facebook account, now is a good time to do so.
If you’ve been salivating at the prospect of upgrading to Microsoft Office’s latest iteration – 2013 – then your wait is officially over. Multiple SKU’s of Microsoft’s productivity platform will become officially available on Jan 29. Most importantly, Microsoft is now making the Office suite available to be “rented” via the Office365 Home Premium package. This subscription-based service will allow the main Office apps (Word, Excel, PowerPoint, OneNote, Outlook, Access, and Publisher) to be installed on up to 5 computers on your local network (Windows or Mac) for $99/year.
What this means for you:
Up until the arrival of Office365, most organizations couldn’t afford (or didn’t want to afford) an enterprise license for Microsoft products with the Sofware Assurance premium which basically guaranteed upgrades for their entire license base over a certain number of years. Instead they purchased what is known as a “perpetual use” license: it allowed the licensee to use the version of Microsoft software they purchased for as long as the software remains viable. This has manifested as many, many organizations running much older versions of Office dating back 10 or more years, and still quite happily getting work done without paying a single additional dime to Microsoft.
Microsoft, in an effort to keep the coffers full and users happy in all categories, has commoditized Office with this subscription service for everyone, allowing companies and families with tight budgets to remain competitive without breaking the bank. Office has been the predominant productivity package for business, and now with affordable pricing for entire households, Microsoft hopes to further extend and cement its grasp throughout the consumer market as well. Depending on where you stand in the industry, this is not always necessarily a bad thing. Broad standardization will lighten support burdens everywhere. On the flipside, crushing the competition might lead to stagnation in innovation, and as we all know, it’s been a long, long time since anyone every looked at a new version of Office with anything other than trepidation.
According to The Verge, Google notified Microsoft of its plans to discontinue support for ActiveSync on the Gmail platform last year, and has recently notified Microsoft that the cut-off is coming on Jan 30, despite Microsoft’s efforts to get a 6-month extension from Google. ActiveSync is widely used to sync calendar and contact data from Gmail to Windows and iOS devices. Microsoft has noted that the Windows Phone OS will support CardDAV and CalDAV, which are the protocols used currently for synching on Android devices, in a future update of Windows Phone OS, but the update release data has not been announced yet.
What this means for you:
If you use Gmail as your primary calendar and contact management system, and you are syncing contacts and calendar data to a Windows Phone or an iPhone, you will lose the ability to sync up your data between phone and the cloud for an unknown length of time once Google drops support for ActiveSync – Gizmodo projects it could be as long as six months time. If you need this functionality, start considering alternatives ASAP!
Microsoft has announced that it will be raising the price of Windows 8 upgrades at the end of January to the full retail cost of $119 to $199 for the Pro version. The downloadable upgrade from Windows 7 to 8 is currently available for $39.99, and there is a boxed, retail version available for $69.99, but those prices will no longer be available on February 1.
What this means for you:
If you were at all considering upgrading to Windows 8, but aren’t necessarily ready to make the change right now, you may want to go ahead and make the purchase now and save yourself some money. Savvy technology users will have only minor issues transitioning, and Microsoft isn’t going to change their minds and rollback Windows 8, so eventually, savvy or not, you’ll probably be using Windows 8 at some point.
Keep in mind that the $39.99 price is for an upgrade version of Windows 8, so you will need a machine with a licensed copy of Windows XP, Vista or 7 to use it properly. The upgrade version cannot be easily installed on a blank computer unless you have the install media (and activation key) for your older OS handy.
Research In Motion (RIM), makers of the once-dominant BlackBerry platform, has announced the launch date of its BlackBerry 10 phones to be January 30 by all the major US carriers except Sprint, who has promised a BB10 phone later in the year. Many analysts believe that this launch is the last-ditch effort by RIM to regain relevance in an industry dominated by iPhone and Android devices, and just as many have already counted them out.
What this means for you:
If you are one of the dwindling BlackBerry faithful, there is a lot to whet your (by now, monstrous) appetite: the new RIM OS modern look and all new code-base (supposedly no carry-over code from older RIM OS’s) will hopefully update BlackBerry’s staid, corporate image. However, the new BB10 phones have multiple strikes against them:
- Developers for the “staple” apps (Facebook, Google, Netflix, etc) will undoubtedly develop versions of their omnipresent apps because they can fund the development off the backs of their profitable iOS and Android counterparts, but don’t expect surprise hits from indie developers appearing on BB10 first – there just isn’t a large enough userbase to warrant the investment gamble. RIM has sponsored some recent events to kickstart development, but proof will be in whether BB10’s launch will be a repeat of Microsoft’s Windows Phone lackluster debut.
- BlackBerry’s current infrastructure has some serious redudancy flaws that has led to some titanic outages. Once viewed as the most reliable platform in the early days of smartphones, the series of recent, widespread outages has severely tarnished RIM’s image.
- RIM has been lapped by Apple and Google, OS-wise, at least 2 to 3 times now. RIM is just launching a competitor to phone OS’s that were developed years ago. Unless this horse can fly, there is no way BB10 is catching iOS6 or Jelly Bean in this race.
I suspect that RIM isn’t quite done – they still have a nice chunk of the market, but they aren’t going to supplant iPhones or Androids anytime soon.
Carnegie Mellon University’s CERT and the Department of Homeland Security have issued a broad warning about using the latest version of the Java 7 plug-in for web browsers, and some browser manufacturers have already taken steps to disable Java application execution until the vulnerability can be fixed. The security flaw is already being exploited in the wild, and can be used to run malicious code without the victim’s permission or even awareness. Oracle is investigating, but has not indicated when the hole would be patched, aside from promising a fix “shortly.”
What this means for you:
Unless you have a really good reason to keep running it, you should probably disable Java until Oracle can fix this problem. Unlike other vulnerabilities that affect specific browsers (Internet Explorer has been notorious for flaws in the past), this particular problem affects all browsers that have a Java 7 plugin, including the Apple OS. Oracle has had problems in the past with providing quick patches for the Java platform, so until they do, the safest approach is to disable the plugin in your browser.











