Yesterday, the internet experienced a moment of apocalypse angst when Gmail users around the world (including C2) experienced a variety of issues getting email. Lasting roughly 40 minutes, users experienced complete outages, slowness and, if they were using Chrome with browser syncing enabled, outright application crashes. It turns out, rather than being able to blame ancient prophecies, Google fingered one of their own as the root source of the problem.
What this means for you:
Cloud nay-sayers may have had a brief moment in the sun while Gmail was on the ropes, but the fact remains that it’s still a very reliable service. Several lessons may be learned from the experience, all of them common sense:
- If your critical business practices rely on a free email service being available all the time, everywhere, you may want to re-evaluate those practices.
- When making adjustments to your business infrastructure, always double-check your work, and make sure you have a backup of your data.
- When technology fails, 9 times out of 10, a human is behind the failure.
Last week, Facebook opened up a vote on its usage and terms policies that included in the changes the removal of user pivilege of voting on future changes to said policy. In order for the user vote to be binding, 30% of Facebook’s user population (approximately 300 million users) needed to cast a vote in either direction. In the “Surprising No One” column, only 700,000 votes were cast (about .06% of the total population), and even though the vote was overwhelmingly against the changes, Facebook only needs to take that result under advisement, in other words, “Thanks for your opinion, we’ll do what we want.”
What this means for you:
Most of Facebook’s user base probably had no idea they had any influence over the policies that affect how they use, and are used by, Facebook, who went so far as to notify everyone about the upcoming vote via email. Even though they provided an easy to use link, an even easier to use app to vote (you didn’t even need to leave the confines of Facebook!), most of the world couldn’t be bothered to care about this change. It’s true, as mentioned in my previous article on this, Facebook allowing its userbase to weigh in on policy change is extremely unusual. As a result of the lack of interest, Facebook will become like the thousands of other internet companies who make changes to their terms of use without asking their users permission, and internet citizen self-governance takes another step backwards in favor of convenience and “free” services.
We’ve already seen way too much of some politicians and celebrities on the internet, but it seems human foolishness knows no bounds where the internet is concerned: sharp eyes have spotted a trend of people posting things like driver’s licenses, debit cards and other items with sensitive personal information in plain view on the internet through services like Twitter and Instagram. The reasons for posting these images aren’t immediately clear – and frankly, there isn’t a single logical explanation that doesn’t make these folks out as complete fools.
What this means for you:
In case you aren’t clear as to why this is a bad, bad thing – posting your sensitive personal information on the internet is tantamount to building a gigantic neon sign over your head that says, “Steal my identity, please!” To all the people who are doing this – STOP. Put down your smartphone (ironic, eh?) and step away from the internet. Go stand in the corner and put on that funny, pointed cap. Congratulations, you’ve just earned the Dunce of the Year!
Parents – if you have a teenager with their own smartphone and they’ve just earned their driver’s license or their own credit card, make sure they aren’t taking a picture of that shiny new card and posting it on the internet to brag to their peers. It might be a good time for a little security chat – and will be a lot more comfortable than that other chat you’ve been putting off for awhile now, right?
Facebook is taking a less than transparent approach in its latest governance vote by asking users approve changes to their usage and terms policies that revokes the privilege to vote on future changes to that usage and terms policy. The questionable part is that they are burying that change in the monstrous pile of legalese that is the overall “Statement of Rights and Responsibilities” and “Data Use Policy”.
Are they hoping that no one is paying attention and will happily vote away their ability to provide input on future changes? If typical human behavior demonstrated in skipping past the “fine print” is any indication, they would have been mostly right. However there are still plenty of digital activists and internet watchdogs scrutinizing Facebook. Their eagle eyes have spotted the change and got the mainstream media to splash it all over the internet.
What this means for you:
If you don’t use Facebook, you can’t vote. If you do use Facebook, you should go vote and let Zuckerberg et al. know that you care about your digital rights and want to have a say. Unless 30% of the Facebook population show up to vote, Facebook only has to take the decision (regardless “yea” or “nay”) as “advisory” and will adopt the new changes, removing your ability to vote on future changes. The fact that Facebook allows a vote at all is a bit of a rarity in the internet service realm, and countless legal arguments have surfaced over whether “Terms of Use” policies that many of us blithely click “I Agree” to in order to get to the good parts are even enforceable. But don’t let that lead you to an apathetic stance – Facebook’s position as the largest digital consumer service in the world puts it in the limelight for security and user rights, and as such, it should be trying to empower its users, not abrogate their freedoms.
Hackers are now taking advantage of conscientious users who have been repeatedly warned by folks like myself to keep their software, specifically their browsers, up to date. If a user happens to surf to a website hosting this new style of attack, they will be presented with a realistic-looking warning that asserts their browser is out of date, but if they click the convenient link to update the browser, they instead be infected with a trojan that will forcibly change the browser homepage to a site that will deliver a full payload of malware. If the user is unfortunate enough to have his or her anti-malware software overrun, they will quickly have a severely compromised computer.
What this means for you:
You should only ever download updates for your software from the manufacturer’s website, as it’s extremely unlikely for manufacturers to use third-party hosts for software updates. In the above example, users were directed to download an update from a domain “securebrowserupdate” which is something Microsoft, Google, Mozilla or Apple would never do for their browsers. If you happen across a pop-up warning that an update is available for your browser, and you aren’t sure it’s legitimate, close it, then check your update status through the browser’s built into the interface, usually under the “Help” menu. Still not sure? Why not call an expert like C2?
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Security researcher Bogdan Calin has reportedly devised a new cyberattack method that can compromise certain types of routers merely by a local user opening an email on their iPhone, iPod or Mac. This new vector takes advantage of two common security weaknesses: the default mail client settings on Apple devices that loads remote images automatically, as well as default or weak admin passwords on consumer-grade routers that are often found in residences and small businesses. In a nutshell, the attack works by taking advantage of your router’s ability to be managed via web-browser by opening dozens of hidden pages with login and setting changes, each firing off in turn until one of them affects the change.
All of this happens in the blink of an eye, and because the changes don’t have to be destructive immediately, the user would not know they had just compromised their own network. These settings could include changing your DNS settings to servers that a hacker controls, allowing them to misdirect anyone on that network to sites that can further hijack computers. For example, typing “Google.com” would no longer take you to the actual Google website, but could instead send you to a counterfeit site that, for all intents and purposes, looks very similar to Google’s own site, and from there, could lure unsuspecting users into further compromising decisions.
What this means for you:
As of now, this particular attack only works on specific types of routers, and relies on the fact that many people have never set their router password to something other than the default it shipped with from the factory. Despite Mr. Calin’s warning, Apple is not planning to address the settings exploit, and has instead suggested that users can turn off the automatic loading of remote images in emails (the default setting in Android mail clients) if they wish additional security, but with the downside that all images, legitimate or not, would be prevented from loading. The simplest solution, of course, is to set your router password to something other than the default, and preferably one that is hard to guess or brute-force.
Image courtesy of Victor Habbick / FreeDigitalPhotos.net
A recent study by security firm NSS Labs shows that Google’s Chrome browser still has the best detection rate (94%) for spotting phishing URLs, and on average, new malware sites are reported and blocked by all browsers within 5 hours of discovery, a significant improvement over the 16+ hours that same process would have taken in 2009. Firefox showed the best response time to reporting and blocking new sites at 2.3 hours – more than twice as quick as IE10.
What this means for you:
All of the major browsers have significantly improved their ability to protect users, to the point that there is very little statistical difference in their security capabilities. Many of my clients still ask me if one is better than the other, and the answer is always, “It depends on what you need the browser to do.” I still use Chrome for most of my work, but there are still enough times when I’m working with online apps that only work with Internet Explorer. The most important factor to consider is making sure whatever browser you do use is kept up to date, and that you practice safe and cautious surfing whenever working with unfamiliar websites.
The new tradition of Black Friday (and Cyber Monday) shopping online has not only caught on with bargain hunters hoping to avoid crowds and early-morning lineups, it has also caught the eye of the digital criminal element as well, who will be counting on naive (and not so naive) shoppers clicking on links to dodgy sites that instead of delivering amazing deals, will end up costing unwary shoppers hunters more than they bargained for.
It is believed that various cybercriminals will attempt to lure victims into clicking links promising deals too good to pass up, either delivered via email, or posted on the various bargain/coupon code websites that are scattered across the internet. Once you click a link to a site that is handing out malware instead of savings, your machine is likely to get infected with one of the hundreds of variants of malware, all with the express intent of, wreaking havoc on your holiday weekend (and beyond), extoring money out of you via ransomware demands, or worse still, lying dormant and undetected on your computer until you start typing in sensitive information, like the password to your banking website and email account. Once that happens, you are only clicks away from identity theft and probable financial damage.
What this means for you:
Common sense and caution are your best defenses, but you should also observe the following:
- Have updated and working antivirus software from a well-known manufacturer.
- Only click links to websites that you recognize – make sure the link you are clicking isn’t being spoofed.
- Can’t confirm a website, or not familiar with the source? Google the domain name – the real domain name, to see if virus/hoax reports have been associated with that domain.
- If the deal sounds too good to be true – it probably is. Call the store to confirm the deal if in doubt. Talk to a human.
- Still can’t confirm? Proceed with extreme caution at your own risk. Is the deal really worth the risk of your security being compromised?
Image courtesy of “digitalart” / FreeDigitalPhotos.net
If you’ve held off buying a Surface tablet in the hopes that the new device would settle in and get its legs after a less-than-stellar showing at launch, you have probably been disappointed to find that instead of capturing the hearts and minds of the public (or the media), the Surface continues to struggle for identity in the shadow of the iPad and, to a lesser degree, Google’s Nexus tablets. Zach Epstein at BGR.com had one of the more favorable launch reviews of the tablet, and 30 days later, he updates his stance: he’s still thumbs way up on the hardware, but finds that Microsoft’s innovative hardware is limited by Windows RT, the tablet-only version of Windows 8, and its still-thin selection of apps.
What this means for you:
Mobile warriors looking to get work done via tablet alone (that aren’t already doing it via the iPad or Nexus) may still find themselves hamstrung by the limitations of the Windows RT and the lack-luster selection of apps. Even if you spend most of your time in Microsoft Office, performance of Outlook RT is still poor, and if there’s one thing people won’t suffer, its a slow email client.
Look carefully at the applications you need to exist as a tablet-capable version before chucking your laptop for any tablet (not just the Surface), and even if it does exist, make sure it meets your needs before investing. Die-hard tablet enthusiasts will be able to surmount most of the limitations of Windows RT just by virtue of their innate patience and willingness to “hack” around problems, but if you are someone who’s patience is tried even by the ultra-polished iPad, don’t even think about a Surface at least until the Windows 8 Pro versions arrive in early 2013.











