You know the general public is suffering from security fatigue when something as big as the Dropbox breach appears in the news, and almost as quickly, disappears. In case you blinked, online magazine Vice.com broke the news last week that a database recently surfaced which contains over 60 million Dropbox.com user accounts (email addresses) and hashed passwords. Almost immediately following this news, Dropbox itself issued an email warning to its users that it was resetting passwords of users who might have been impacted by a 2012 breach. Breach notification site HaveIBeenPwned.com also corroborated the reports that the account information found in the database does contain valid usernames and encrypted passwords.
What this means for you:
Even though breach data may be years old it can still be valuable, especially if the passwords are stored with weak, easy-to-crack encryption. In the case of the Dropbox breach, approximately half of the passwords are strongly encrypted, and are unlikely to be decoded, and the other half stored in a slightly weaker, but still formidable encryption method. As proof of their continued value, many databases from breaches as far back as 2012 and earlier as still actively traded and sold in the digital blackmarket, and as technology continues to advance, you can bet that even strongly encrypted databases will eventually be cracked. If your account and password only showed up in the Dropbox.com breach, you could consider your password relatively safe (change it anyways!) for now, but if you used it elsewhere, and that account was exposed in another breach, like the LinkedIn.com breach that happened in the same year, and you used the same password as you did for Dropbox, your security is considerably more compromised. Multiply that exposure for every other breach you were a part of and used the same password again, and we can’t even account for the breaches that haven’t yet been publicized!
Long story short: check HaveIBeenPwned.com, change your passwords, and don’t reuse passwords!
In an extremely unusual occurrence, the operators/handlers of the infamous TeslaCrypt ransomware have announced they are discontinuing operations of their highly lucrative malware campaign for undisclosed reasons. Analysts speculate it could be anything from growing law enforcement attention, redirection of resources on even more virulent malware, to the unlikely scenario that the operators have made enough money and are feeling generous. Whatever the case may be, researchers from security company ESET contacted the “retiring” operators and asked them if they would publish TeslaCrypt’s master key, and to everyone’s astonishment, they obliged. Armed with this critical piece of data, ESET and others have built apps that have the capability of decrypting data that is being held captive by any number of TeslaCrypt variants dating back as far as early 2015.
What this means for you:
For one of my clients, a distant hope for this exact scenario finally paid off. Their data has been trapped in encryption for over a year, and as they didn’t have a viable backup at the time of the infection, they walked away from nearly a decade of data that was locked away even after paying the ransom. After our initial attempts to recover the data with what seemed to be a fake key, we put the data aside in the hopes that the master key would someday be recovered, possibly through law enforcement activities. Fast forward to this past weekend: after several hours of number crunching with tools provided by the brilliant folks at BleepingComputer.com and the master key secured by ESET, I was able to successfully decrypt nearly 200,000 files in what appears to be a full recovery of the “kidnapped” data.
If you happen to be among the unfortunate few who fall into this same ransomed data, backup-bereft category, your long-odds gamble may actually pay off like it did for my client. Counting on events like this unfolding for other variants of malware is still highly irrational. Last time I checked, there were still large portions of the world beset by malicious and criminal behavior, and it may never be revealed why the TeslaCrypt operators released the master key. Even if some hackers discovered compassion for their fellow humans and gave up their black-hat ways, there are ten others ready to take their place. Cybercrime continues to be a huge moneymaker for the criminal element. For this reason alone, you should continue to reinforce your technology defenses with a strong firewall, competent anti-malware and reliable offsite backups.
Image courtesy of renjith krishnanat FreeDigitalPhotos.net
In the early days of the internet, building a server dedicated to providing email for your company was a sign that you understood the significant role it played (or would play) in your company’s success. Even small companies spent countless thousands of dollars investing in these complex technology beasts, primarily because it was either that, or use consumer services like CompuServe, HotMail or AOL which just couldn’t meet the growing security and legal needs of most companies. Fast forward to today and I’m still seeing SMB companies insisting on running their own servers for reasons that have since become a liability to their own business.
Things you should consider if you are still running your own email server:
- Do you think your email server is more secure than the ones run by Google, Microsoft or any technology company who’s entire business model is built around providing that service? Unless you are in the business of providing email services, you should focus your efforts and money on your core business.
- How reliable is your technology infrastructure? What happens when your internet goes down? What about the power in your building? Most clients I know have at least one planned power outage a year and probably several unplanned ones, on top of the occassional internet circuit failure. One client was recently down for over a week during the Verizon-Frontier fiasco. Could you survive without email for that long? Could your company?
- How much money have you spent supporting an email server that provides service for a small staff? Have you calculated the cost per user per month? Is it less than $5? If not, you are not “beating the market”. And even if you are, how long do you think that will last? Did you factor in spam and malware filtering licensing costs?
- After having the same mailbox and server for years, has your mailbox grown to an enormous size and now you are running out of space and have no real means to do anything about it? Is your mail backed up? Can you even reasonably search through that much email and not have constant problems?
- Have changes in your industry required you provide security like encryption or compliance filtering? Suddenly you are faced with the prospect of needing to not only purchase new software, but also having to update your technology infrastructure just to be compatible with the new software.
If any of these five points hit close to home, you should definitely be considering the move to a hosted email provider. The market has stabilized to the point of being able to provide enterprise-grade email services on an SMB-sized budget, leveling a playfield that used to favor deep pockets and dedicated IT staff. It’s time to retire the in-house email server and invest in the future of your business instead of a dead-end technology strategy.
Looking back over the past few weeks I realize I’ve fallen down on my job of terrifying you with news of the latest technology boogeyman. There’s a new ransomware in town and this one gets down to business in a hurry. Dubbed Petya by security company F-Secure, this vicious piece of malware works in a similar fashion to its brethren by encrypting data and holding it for ransom, with a twist: instead of encrypting just your documents, it will “kidnap” the entire disk by encrypting the master file table, and it can do so very quickly because the MFT is just the “index” of all the files on your drive. If you were to think of your drive as a book, this is the equivalent of putting a lock on the cover and holding the key for ransom.
What this means for you:
At minimum, any virus infection is going to result in a bad day even if you have a full backup of your important data. Before your data can be restored, you need to be certain the malware hasn’t spread to other machines and is waiting to pounce the moment you get the data restored. With previous versions of ransomware, the attack would leave affected machines more or less operational as the malware only encrypted documents and usually left applications and the operating system intact. Not so with Petya which locks out the entire disk. If this malware were to attack a server, it could paralyze an entire company within seconds. If you though recovering and cleaning up a workstation took a long time, double or triple the time needed to bring a server back online, and that’s only if you had full-disk backups and not just files. A malware attack is inevitable – no amount of money, time or paranoia can provide 100% protection. Your only hope for a recovery is proper data backups managed by an experienced professional. Are you ready to test your backup plan?
Image courtesy of Zdiviv at FreeDigitalPhotos.net
In the latest dramatic chapter of the ongoing encryption battle between the FBI and Apple, the feds have admitted that they worsened their chances of ever finding out the contents of the San Bernardino shooter’s iPhone when they reset its associated iCloud password in a misguided attempt to access the locked device. According to Apple, prior to that reset, the FBI may have been able to gain access to the device without Apple having to provide a controversial backdoor to its otherwise very secure smartphones. On top of the FBI’s blunder and lack of understanding of Apple’s iPhone security, it’s also clear that several members of the House Judiciary Committee leading the hearings on this controversy are also poorly versed in how smartphone security works. To be fair to everyone, Apple’s iCloud system is arcane even to me, so it’s easy to see how someone unfamiliar with the system could make this mistake.
What this means for you:
Making fun of government officials being ignorant about high tech subjects is like shooting fish in a barrel. The “series of tubes” analogy used by Senator Ted Stevens is just one of many examples of US lawmakers struggling to understand admittedly complex technologies like the internet and encryption. Back then (10 years ago!) it might have been acceptable to dismiss their technology naivety as understandable – after all they are congress people, not IT consultants. But now, in an increasingly technology-permeated society, their ignorance or willful disregard of technology can lead to very bad decisions that have widespread and long-lasting consequences. This is just as applicable to your personal and workplace tech. While it’s impossible to be an expert on everything, if you rely on technology for critical business operations, you should have more than a basic understanding of how to turn it on and off. At minimum you should know what risks come with that technology, and if you cannot claim to be an expert in the technology in question, you should always consult with an experienced technology professional before making game-changing decisions.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Apple made a big splash last week when CEO Tim Cook published an open letter in response to the FBI’s request and subsequent court order to hack the iPhone of the primary assailant in December 2015’s San Bernadino mass shooting. As one might expect, Mr. Cook basically told the government that they would not comply, and fortunately, they might be the one company that could afford to fight this battle in the courts. Though the tech industry has typically maintained a similar stance on device encryption, even the most staunch champions of digital privacy such as Google and Twitter have had suprisingly muted responses to the growing battle. Also revealing is a recent Pew poll that suggests while the tech industry may be largely united on device encryption and government backdoors, the American public isn’t quite sure what to think about this complex issue.
What this means for you:
Late model iPhones ship with encryption enabled by default, and as long as you enable some form of authentication on your device, the data on that device will only be accessible if you unlock it. Law enforcement can’t break the encryption, and Apple, by it’s own admission, cannot decrypt your phone’s contents with out the proper authentication, even if the phone owner asks them to do so. If someone tries too many times to guess your pin, the device will be automatically wiped – no intervention from Apple or your carrier is required. The FBI is demanding Apple create a way for them to unlock the iPhone of the San Bernadino shooter, which if Apple were to actually accomplish such a feat, could theoretically allow anyone with possession of this backdoor to decrypt any iPhone protected by similar technology. Like the atomic bomb, the development of this backdoor cannot be unmade, nor will it remain only in the hands of the “righteous”. While the data on the SB shooter’s phone may prove useful in providing some closure to the incident and may even help further other domestic terror investigations, it’s easy to see that the FBI means for this case to set a precedent that will give them unfettered access to an area that has traditionally been protected, both by law and by technology.
Though the average consumer is still many years away from seeing or using one, quantum computers are moving steadily from theory to reality, and seems to be following the same accelerated curve most other technologies follow. First theorized in the 1960’s, the field of quantum computing was formally established in the early 1980’s, but actual systems using quantum computing only appeared in this decade. Lockheed Martin purchased in 2011 what appears to be the first physical implementation of a quantum computer: the D-Wave One. Google launched its own quantum computing initiative in 2013 in joint effort with NASA, and Edward Snowden revealed in 2014 alleged plans by the NSA to build a quantum computer expressly for cracking encrypted data.[Skip this section unless you really want a brain twister!] Quantum mechanics on its own is an incredibly dense and complex field of science, and even though quantum computing concerns itself with a specific application of quantum mechanics, it is just as inscrutable as modern computers are now to most people. In a nutshell, where modern computers process data by boiling down everything to zeros and ones (bits), quantum computers process data using qubits, which can exist as either a zero or one, or any number of infinite states in between. While you are trying to wrap your head around that one, consider this next mind-blowing fact: where traditional CPU’s solve problems by switching between one or zero (albeit very, very quickly) and testing a condition (is it 0 or 1), a quantum CPU can simulaneously solve for one and zero at the same time. Because of this capability, a quantum CPU would be vast leap forward both in speed and complexity as compared to a “traditional” CPU.
What this means for you:
Scientists and security experts are justifiably concerned that quantum computers could easily crack the toughest encryption methods in use today. Encrpytion that would normally take today’s computers thousands of years to crack could, in theory, be broken within hours on a quantum computer. It’s not a long jump to suppose that the first organizations to implement quantum computers will be nation-states and large corporations, and then the race will be on to safeguard data with even stronger cryptographic algorithms. Echoing an arms race not unlike the nuclear one in decades past, modern technology is advancing at a pace that most humans will never stay ahead of, and we are relying on a small number of people in power who continually demonstrate an alarming lack of understanding of technology in general. Its important for all of us to step up our game and to focus on, at minimum, learning more about the technology we use everyday, and when we hit our limit, making sure we are protected and led by more knowledgeable people we can trust.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Password storage utility LastPass reported earlier this week that they discovered suspicious activity on their servers and as a result, some of their users’ data has probably been compromised: account emails, password reminders and some of the decryption hashes and salts. According to LastPass, user password vaults were not compromised, nor does it appear that any user accounts were accessed. As a precautionary measure, LastPass has turned on a secondary email authentication confirmations for all LastPass logins from new IP addresses, and they are recommending enabling multifactor authentication – a good security practice for any sensitive account (like your email).
What this means for you:
LastPass uses a very strong encryption method to secure your data, and it would take some significant computing resources to crack their encryption from a brute-force perspective. However, if your LastPass master password was easily guessable, in theory they could use the stolen hash and salt to confirm that password, and attempt to gain access to your LastPass account. In short: change your LastPass master password, and if you used that password anywhere else, change it there as well.
Laptops and cellphones were once the sole domain of high-powered business executives, but thanks to the proliferation of high-speed internet and falling hardware prices, they are pervasive not only in professional environments, but in just about any walk of life. As you can probably guess, this also means an exponentially expanded attack surface for cyber criminals who are no longer focusing on traditional targets. Anyone who has a bank account or credit history is a potential victim, and younger targets can be exposed to potentially dangerous privacy invasions. Rather than enumerate the various ways in which your security and safety could be violated (we all have enough nightmares as it is), I’d like to focus on some positive actions you can take to make your mobile, digital life safer and more secure.
- Password protect your devices.
Even the most careful professional will misplace their mobile device on occassion. While passwords won’t stop determined hackers, it will keep most everyone else out until it can be recovered or remotely wiped. Laptops normally do not have remote wiping capabilities, so don’t stop at just a password for protecting these types of devices.
- Use built-in apps, or purchase location-tracking software.
Late-model Android and iOS devices have location tracking and recovery capabilities built-in, but they must be enabled. You can add location tracking or a “phone-home” program to your laptop, but it requires the device to be connected to the internet in order for it to report its location.
- Don’t store sensitive information on mobile devices.
With any portable device, the chance of it falling into the wrong hands is high. If you don’t have an IT department managing your device and controlling what can be stored on it, you should inventory what is stored on the device (sensitive client info, photos, personal financial data, passwords) and consider whether you need that information to be stored on that device. If you do, make sure you observe #4.
- Encrypt any storage media.
All late-model Android and iOS devices have the capability to encrypt all data stored on the phone. It’s on be default on iPhones, but must be enabled manually on most Android devices. If you have to store sensitive data on your mobile device, make sure encryption is enabled and working. While it’s not completely necessary to encrypt your entire laptop hard drive, it is possible, and many financial service firms require it on their laptops. At minimum, store your sensitive data in an encrypted partition or folder, or on an encrypted thumb-drive.
- Back up your data.
Do I even need to qualify this particular practice? Backups should be stored separately from the hardware being backed up. It should be transmitted and stored encrypted if it’s internet/cloud based. It should be as frequent as the minimum period of data loss you are willing to lose, e.g. if you can’t stand to lose an hours worth of work, your backups should run on an hourly basis. Be aware of the performance hits this may have on your hardware and network bandwidth.
- Hide devices in parked cars or take them with you.
Mobile device thefts from parked cars is consistently at the top of all loss categories. Thieves know to target cars coming and going from office parks, universities, airports, and the retail/service businesses near these locations. Before you drive away from your work location to a Happy Hour or a quick bite or some grocery shopping, stow your laptop bag in the trunk or hide it in a hard to access part of the car. Don’t do this when you reach your destination, as the thief may already be there, watching for someone to do just that. If you can’t secure it or hide it properly, take it with you.
- Add a leash.
If you are highly mobile and work from many locations, it’s easy to misplace your smaller electronics, and sometimes even laptops. Add a colorful leash to your thumb drives so you don’t forget them, and maybe even consider the same for your phone if you are prone to misplacing it. If you have to take your laptop bag with you to a place where you don’t plan to use it (because of #6), attach the strap to something you will be using at that location, whether it be to your jacket or purse, or even to your leg if you are sitting in a location with lots of noise or distraction. It’s easy to forget work-related tools when you are focused on non-work activities.
- Be less conspicuous.
In open public places with crowds, conspicuous use of expensive mobile devices will flag you as a target for bold thieves. I’ve talked with victims whose laptops were pulled right out from under typing hands in a sidewalk cafe or picnic table, and have read numerous reports of smartphones and tablets being grabbed in broad daylight. If you want to work on your device in a busy environment, keep one eye on your surroundings, and place yourself and your device in a position where it will be less easy to snatch by a fleet-footed thief.
- Educate your friends and family.
Even though you may be cautious and secure, the people around you can undo your careful preparations with carelessness or even well-meaning intent. Be mindful of everyone around you who might not be as savvy as you in technology, and choose carefully how you interact with them via email, social media, and even device sharing. Work laptops are notorious for being infected by family members who don’t have the same security concerns as you do. Quieting a young child with your smartphone may seem like a good idea at the time, but maybe there is some other way you can entertain them that doesn’t involve your work phone.
- Report thefts/losses immediately.
Eventually, it will happen. Whether the device is stolen, damaged or infected and compromised, you should work immediately with the appropriate authorities and professionals to make sure you limit the damage, both to you and your organization, as well as any customers or clients who might be affected. Don’t wait.