Those of us who have been using computers for a few decades remember the days when getting a computer virus was more of a nuisance than today’s current nightmare, but back then computers and the internet played a much lesser role in our personal and professional lives. On top of this, the past purveyors of malware had a much different agenda (if they had one at all) than today’s anonymous blackmailers and ransomers. When money is the object, you can bet some very smart and unscrupulous people are going to find ways to pollute your ‘puter for profit, and sadly, email is big, red target on everyone’s back.
Why is email targeted?
- Everyone has an email account. As of this year, over half the planet uses email meaning there are literally billions of email accounts. Email extortion schemes are extremely profitable if only a very small percentage fall for the fake link or open the bogus attachment and then follow through with a ransom payment. The profitability of a ransomware campaign relies on how wide a net can be cast, and with billions of fish in the sea, lots of nets can be cast.
- The cost to send an email is microscopic. Even campaigns that send millions of phishing emails have incredible ROI if only a tiny percentage actually hook a victim. With the right infrastructure (typically hacked servers belonging to someone else), malware teams can push out millions of emails with a few hours of investment of time and minimal hardware costs. On average, ransom demands to small companies are now upwards of $13000 per incident. You don’t even need to do the math to see why this is happening.
- It’s incredibly easy to fool someone via email. Yes, you still get a ton of poorly spelled and grammatically awkward offers to share in the inheritance of foreign princes, but mixed among all the general pollution and real emails are fakes that are becoming increasingly hard to catch. Email scammers are upping their game daily, especially since it definitely leads to more victims getting tricked.
- Each of us gets too much email. I don’t know a single adult who would say otherwise. Even those of us who are really damn good at grinding that email box down to zero each day (not me) do so at great expense of time and energy. And, like any working adult who is pressed for time, this means we are more likely to cut corners (ie. security) and make hasty decisions that leads poor outcomes.
- Email technology has not advanced to match the growing sophistication of malware. Outlook is literally 22 years old and has not changed much in how we process email. SMTP, the primary delivery mechanism for internet email was first released in 1981, and while security and encryption has been tacked on in the intervening years, the core technology is essentially unchanged. Email technology needs its equivalent of the hybrid/electric car to change the industry, and seeing as how long it’s taken those types of cars to affect meaningful change, I don’t expect a quick change on the email side either.
- We are completely dependent on email. Even if we wanted to cut email out of our lives, too much relies on this system of communication to even consider how we would function without it.
Next week: how to bolster your email security perimeter.
Image by Gerd Altmann from Pixabay
Among the many problems of the internet, one of the most egregious is the fact that anyone can create a website, put it online, and not really be held accountable for what is actually published on said website. Let’s take the website of home automation company Orvibo, who, at the time of this article’s writing, states on their website:
“Cloud platform supports millions of IoT devices and guarantees the data safety.”
The claim that their platform supports “millions” of devices is backed up by the Orvibo database size, which appears to contain more than two billion records, but the fact that we know exactly how many records are in the cloud platform and that their database is currently open for viewing on the internet without a password is the exact opposite of guaranteeing data safety.
How can a company screw up so badly?
I’ve answered this rhetorical question several times in the past on this blog, but in case you’ve missed it: Technology is fallible because humans are fallible. They are also lazy and sometimes downright malicious, but in the case of the Orvibo database which remains open and accessible at the time of this blog’s publication, we have a stunning example of gross negligence and incompetence that is impacting millions of its customers in very personally identifiable ways. Among the two billion records that includes customers from China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. are email addresses, passwords, geolocation data, IP addresses and device reset codes. Given that Orvibo devices include home automation and security products, the data exposed in this open database gives hackers literally the keys to many family’s homes and hotel rooms, and could potentially endanger their actual lives.
What should you do if you are using Orvibo technology in your home or workplace? Discontinue using it immediately if possible, and if that isn’t possible, see if you can at least disconnect it from the internet and change any passwords used on the device, especially if it’s a password you’ve used elsewhere (also a no-no for just this very reason). It’s not clear when, or even if, Orvibo will address this vulnerability anytime soon, nor will we know whether the data has been access by anyone with ill intent, but in this case, erring on the side of caution is the best course of action.
New week, new punching bag: this time, Intel returns to the spotlight with yet another flaw in its CPUs, up to and including the most recent 9th generation processors as well as going back as far as ones produced in 2008. This week has been absolutely bananas for technology issues so I’m going to keep the literary gymnastics to a minimum. Truth be told, I’m still trying to wrap my head around the technical details of this latest exploit, but here’s a simplified explanation of what I understand so far.
What this means for you: apply updates and stay patched!
Two independent groups of researchers as well as Intel themselves have been quietly working on identifying a new, serious exploit in how Intel CPUs operate. Unlike typical security flaws that can be patched with software, vulnerabilities like this one, dubbed RIDL, Fallout, or MDS (depending on who you talk to) are a result of how the CPU was designed to operate. This new flaw, along side the two previously announced Spectre (2017) and Fallout (2018) vulnerabilities, fall into a class of exploits that are based on a core design of Intel architecture originally built to help computers run faster. Put as simply, predictive processing guesses what the CPU is going to be asked to do next and have the necessary code or data already loaded into nearby caches. Previous exploits looked at the predictions, and the latest basically looks at the guesses that turned out to be wrong or unused. Each discarded guess only contains a few bytes of data, but given a focused attack repeated thousands or millions of times, the leaked data can eventually be amassed into a significant security breach.
Interestingly enough, Intel has known about this particular flaw for an undisclosed amount of time, and has already been working with major industry players like Microsoft, Google, Apple and the usual Windows PC manufacturers to patch or mitigate the vulnerability, which may or may not already be applied to your equipment. At this point, unless you really like reading technical bulletins like this one, I’d recommend paying close attention to update notifications from your computer’s manufacturer as well as applying security patches to your various devices, regardless of their business or personal focus. As with the previous two vulnerabilities, Intel and manufacturers are being cagey about pointing out exactly which updates might be addressing this particular issue, or even if they’ve already been fixed (as many manufacturers will assert), and Intel itself is downplaying the severity of the flaw, despite differing opinions from the independent research groups. Intel discounts the severity based upon the relative sophistication required to exploit the flaw, but researchers rightly point out that though the flaw may be hard to exploit, the data it exposes is highly sensitive and previously thought completely secure.
Full disclosure – I’ve long been a fan of many of Google’s services. I’ve used Gmail since the first beta, rely on Google search all day long, use a Pixel as my smartphone and listen to music all day long through their music service. It pains me when my favorite tech brands make poor choices, and unfortunately, Googles leadership seem to have forgotten their founders original scree, “Don’t be evil,” in favor of behaving like any profit-driven, ethically-ambiguous megacorp. The latest scandal comes from one of Google’s recent tech acquisitions in the form of a failure to disclose the presence of microphones in the Nest Secure home devices. Now, the presence of microphones in security devices shouldn’t come as a surprise, but Google’s failure to mention it in any documentation is a glaring breach of trust on their part.
What this means for you
When I first heard this news, I though to myself, “Well duh, of course these things have microphones. They are security monitoring devices,” and thought that, once again, naive consumers were purchasing and installing the devices without RTFM (“reading the fine manual” except substitute your own f-word). But no, Google (and Nest) didn’t actually document the presence of a microphone at all until it recently revealed that the Google Assistant technology could now be used on the Nest Secure device which, oh by the way, uses voice control…which, erm, requires a microphone…that is already on the device. According to Google, the microphone was disabled by default and can only be activated when the user specifically enables it. Which doesn’t make the whole failure to disclose any better, because how do we know it wasn’t enabled, and why should we trust them to be telling the truth now?
Unfortunately for you, even if you were being a careful consumer and reading the fine manual (or label, or reviews, etc.) the only way you would have known there was a microphone in the device would have been to dismantle it yourself, but why would you do that because the product documentation clearly lists the device’s specs, doesn’t it? Does this sound familiar? Like some other technology megacorp abusing its users’ trust? Is it going to take dragging these companies in front of Congress to get them stop being so lackadaisical with our privacy? Well, before we do that, let’s make sure we elect Congress critters that know iPhones aren’t made by Google.
There is nothing like severe weather to make you appreciate the benefits of a highly mobile workforce, whether you are the worker, safely ensconced in a warm & dry location, or the business owner, suddenly managing a half-empty office but confident the wheels of commerce are still turning. Thanks to declining technology costs and pervasive internet, using a laptop is no longer a status symbol of the executive or the sale team, nor is being away from the main office isolating and limiting. However, there are some speed-bumps on the highway to the work-from-anywhere ideal.
What you should know before going mobile
- Understand what applications and data are required to do your job. If it’s just internet access and email, you’ve got everything you need on just about any laptop, tablet or even smartphone. If you use industry specific applications that require access to data stored on your office server, can that app be run when you aren’t connected to the office network? Probably not, in which case you are going to need a VPN connection or remote access to your work PC.
- Plan your access to the internet carefully. Using your home internet connection is typically fine for most business users, but be very wary of posting up in a local coffee shop expecting to sip lattes and use their free WiFi without a means to secure your data transmissions such as using a VPN. What will you do if wherever you end up doesn’t have working WiFi? Most modern smartphones can provide a hotspot that should work for light internet work, but make sure you know how to use it before relying on it.
- Wireless internet is unreliable and possibly not secure. If you have a moderately sized home and the consumer-grade router installed by your ISP, you know of what I speak. If you have business-critical work that needs to be done, just know that WiFi can and will make you crazy with an unreliable connection, and doubly so for a smartphone hotspot, so plan accordingly. And don’t get me started on free WiFi provided by your local retail/restaurant/laundromat/etc. That WiFi should be consider as being provided for entertainment purposes only, and never used for business unless you have a proper VPN connection protecting you.
- Do you need to print? There are printers that are built for travel, but they are finicky and prone to fail at the least opportune time. Before any extended jaunt out of the office, make sure the printer is properly provisioned (ink and paper) and charged or equipped with its power cord. You might want to print something out just to be safe.
- Mind your ergonomics. Just because the local coffee shop is comfortable for lounging does not make it ideal for working. A couple hours sitting on a hard wooden stool hunched over your laptop will wreck the healthiest person’s back and neck. And typing away on a smaller keyboard will definitely strain your wrists and shoulders, while the small screen wreaks havoc with your eyes. The most productive and healthy remote workers will know what positions and heights are ideal for working with a laptop, and will equip themselves with things like laptop stands, cordless mice (and keyboards!) and choose environments that allow them to sit properly and comfortably.
- Are you going to be making a lot of phone calls? Those of us that spend most of our work day on the phone usually use a headset. Make sure the one you are planning to use can hold a good charge if it’s wireless, and has a better-than-average mic, as oftentimes you will be in noisy environments. You may be able to hear your caller just fine, but they may have trouble hearing you. Also keep in mind that if you are planning to use your phone as a hot spot, you may not be able to make phone calls at the same time.
- Is your device secure? It may seem like overkill, but consider using a cable lock on your laptop, especially if you are working in a public space and there’s any chance you may have to take your eyes off the device for more than a minute. If you store any sort of confidential company data on your laptop, including email, the hard drive should be encrypted and your laptop protected by a strong login password. Never leave your laptop or laptop bag visible in a parked car, even if it’s only for a few minutes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
By the time you read this, Apple will be on day two of quarantining group calls in its video chat app, FaceTime. Why? Oh, how about a nasty eavesdropping bug that would allow callers to listen in on recipients before they pick up the call? Not necessarily ground-shaking in terms of espionage or cybercrime, but potentially embarrassing or even relationship-destroying, especially for an app that is heavily used for non-business calls. To add to the embarrassment of everyone, discovery of this bug is credited to young teenager trying to set up a group chat with his Fortnite friends. Thanks, Fortnite?
What this means for you
Probably not much, except if you use FaceTime for group chats which is now unavailable until Apple fixes the issue. At the moment, there is no firm ETA on the fix which “…will be released in a software update later this week,” per Apple’s official statement. Unfortunately, this isn’t the first security bug for FaceTime’s group chat feature which is not even a full year old. Last fall a security researcher was able to exploit a flaw in group chats to bypass the lock screen and view a user’s entire address book. Thanks to the internet and the always connected nature of iOS devices, bugs like these are typically fixed quickly, and unlike Android phones which suffer from a fractured operating system environment and inconsistent update policies controlled by competing manufacturers, Apple is able to react quickly to these situations. Score one for the fruit company!
I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.
Over the years since the internet has come to dominate the technology and business landscape, I’ve often compared the growing tide of malware and general bad behavior found online to pollution. Like its physical manifestation, the source of internet pollution can’t be tied to a single cause or factor or even several of them. The rising tide of malware, spam, cybercrime, and even fake news is caused by a relatively small group of ignorant, mercenary or even outright malicious agents, but because of the way the internet works, there are few practical ways to stop it from spreading everywhere. If you imagine that the internet is the ocean, this stuff is a gigantic oil spill, illegal toxic waste dump and six-pack rings spreading everywhere.
And your website is soaking in it.
Most of us access the internet like we tap our water supply – through (more or less) filtered pipes connected to the main source. Just like I wouldn’t recommend drinking your water straight out of a lake or stream without some filtering, accessing the internet without proper protections is asking for a nasty infection. But have you considered the chilling fact that your website is out there, right now, braving the internet without a hazmat suit? According to at least one internet security company, over half of all website traffic is generated by bots, and more than half of that traffic is malicious. More importantly, they found that for the smallest, least trafficked websites (0-10 human visitors per day) had the highest percentage of non-human traffic, and because they were less visible and more likely to be unattended, they were more likely to be attacked and successfully compromised. Does that sound like a website you know? Maybe your own website? On average, C2’s webserver is attacked several hundred times a day, and, let’s face it, compared to the rest of the web, we’re at the very low-end of the traffic scale.
As to why anyone would attack a site that isn’t visited that much? A compromised website has many uses, many of which actually require that attention not be drawn to the compromised activities occurring on your very own internet island. This allows the attackers to leverage your site’s computing and broadcasting power (however small), essentially drafting it into a massive mesh of zombified soldiers that aren’t limited by a workplace or home firewall. And there are a ton of low-traffic websites. It’s the internet-version of the age-old question of, “Which would you rather fight?” One massive, infected website, or a million tiny, but infected, websites?
Unless you are a skilled website administrator, securing your site isn’t trivial. Definitely leave it to the professionals, but don’t leave it undone. Your website is floating in polluted waters, and unless you take necessary precautions, your little bit of internet paradise might end up looking like the picture attached.
Image courtesy of Sujin Jetkasettakorn from FreeDigitalPhotos.net
In 1993, The New Yorker magazine published the cartoon “On the Internet, Nobody Knows You’re a Dog” by artist Peter Steiner. More than two decades later, this simple illustration continues to highlight the double-edged sword that is the internet’s ability to widely spread information effortlessly. This is a powerful force multiplier for both good and evil, even more so if the information is wrong, or worse, deliberately misleading with no way to hold anyone accountable for the malicious activity. A few years back I wrote about how easy it was to misinform “the public” resulting in adverse consequences, a trend that seemingly culminated into a highly effective political strategy of deliberately spreading false or misleading stories on Facebook and other social media platforms. Unfortunately, fake news purveyors are upping their game and have now descended to building counterfeit websites that ape actual, legitimate news organizations, hoping to further obfuscate research into an article’s legitimacy now that social media news readers have become a little more savvy.
How does an average citizen tell the real from the fake?
As you might have already noticed, conning someone via the internet has become increasingly more likely and common. Where before we could roll our eyes at obvious spam emails filled with broken English and ridiculous schemes, our mailboxes and social media accounts are flooded with well-funded and cleverly disguised content that appears legitimate, and because no one has the time investigate every single thing we receive, we take the most expedient path to discovery – we click and consume without engaging some critical reasoning, the internet equivalent of finding out if milk is bad by taking a swig before giving it the sniff test. Unfortunately for us, clicking a bad link or passing along a fake news story will result in way worse consequences than a mouthful of sour milk. Dealing with bad milk is easy – toss that carton in the trash – but how do you hold accountable someone (who might or might not be a figurative dog) on the internet?
All hope is not lost. While it may be misleading to fear that anyone can remain completely anonymous on the internet, it’s actually still difficult to accomplish this. Maybe less so when you have the backing of a nation-state and an army of hackers whose full-time job is to cause disruption through fake news, but the tool they use, the internet, still sees and tracks everything, and spreads the truth just as freely and quickly as the false information. For now it will be a competition to see who can spread information more effectively, and the only way good prevails if we the audience engage our brains to the fullest whenever we take a dip in the currently muddy waters of the internet.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It had all the trappings of a Hollywood blockbuster: a massive data breach, hackers hired by Russian spies, and a secret operation that went on for years undetected. Except for one rather pedestrian and crucial element. According to indictments handed down by the US Federal Bureau of Investigation, the hackers penetrated Yahoo’s security not through some sophisticated cyber-tango of caffeine-fueled hacker artistry. There weren’t any high-tech micro computers covertly implanted into neon-lit server racks following a series of cleverly choreographed hi-jinks. No, the largest single leak of Personally Identifying Information was enabled by a Yahoo employee falling for a spear phishing attack.
Here comes the email security soapbox again!
What’s a spear phishing attack and what makes it different from the rest of the spam you get in your email? Typical spam and phishing emails are sent to as many people as possible in the hopes that a small percentage will click the link or open the attachment, whereas spear phishing is designed to target a very specific audience or even a particular individual. They are typically several levels more sophisticated than the usual garbage clogging our email as the content is custom-tailored to appear believable to the target. While I’m sure many of you are scratching your heads at how a single click on a fake email could lead to the largest breach in history against a storied dot-com darling, keep in mind that in the ongoing plate-spinning war of internet security, the good guys only win if they can keep all the plates spinning, and the bad guys win if even a single plate falls.
There are many lessons to be learned from this incident, but perhaps the most important one of all still remains: all security systems are only as strong as the weakest link, and many times that weakest link is a human. Given enough resources, time and determination, any security system can be hacked, and any company or organization can be breached. What’s a business owner to do in light of a seemingly unstoppable force? Just like preparing for two other famously unavoidable eventualities, planning for security breach will prepare you to react properly and deliberately rather than a mad scramble for recovery. Not sure how to get started? Pick up the phone and let C2 give you a leg up on getting ready.