There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
Confirming something that many of us already suspected, Twitter has revealed in its most recent SEC filing that almost 9% of all Twitter accounts aren’t used by actual humans. Given the social media’s 271 million accounts, that’s nearly 23 million Tweeters posting content at the behest of some form of automation or algorithm.
It’s an unfortunate but not unexpected state of affairs that hackers continue to take advantage of our voracious appetite for news. As has been happening with hot news stories for at least a year or more, malware links are cropping up to exploit the media frenzy surrounding missing Malaysian Flight MH370. Taking advantage of the viral nature of sharing prevalent on Facebook and Twitter, fake links promise “shocking video” revealing the fate of the missing flight. Clicking them takes you to a counterfeit survey designed to look like the Facebook surveys many app-makers use to gather info on users before granting access to their app or content. Instead of course, you are giving your info to hackers on a fake website which will undoubtedly be used to annoying, or worse, nefarious ends.
What this means for you:
If I’ve said it once, I’ve said it 1000 times: don’t click links in Twitter, Facebook or email, doubly so if the source isn’t someone you trust or recognize, and you can’t clearly see the destination URL. Most links shared on Twitter use a URL shortener which obscures the final destination, a technology designed originally to compress long URLs into tiny ones and now used as a trick by spammers and hackers to lure you to a fake website. All it takes is a simple page load (no typing or filling in forms required) for an out-of-date browser or OS to be compromised, and once they have a toe in the door, it’s all down hill from there.
From this point forward, you should expect hackers will exploit hot news items to take advantage of our natural curiousity. If part of your online brand-building, either professionally or personally, includes re-sharing or retweeting internet links, be careful you don’t inadvertently share a fake news item to your friends and followers.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
An Islamist hacktivist going by the moniker “Mauritania Attacker” claims to have hacked and accessed the entire database of Twitter accounts. As proof of this exploit, he has published details on 15,000 accounts that included access tokens users have generated for other applications that use Twitter either as an authentication source, or as a means to publish data from or to the microblogging service. According to representatives from Twitter, no accounts have been compromised, and the account details released by the hacker did not contain passwords (hashed, encrypted or otherwise). Security analysts suspect that it may be possible to use the exposed security tokens to gain limited access to publish through the associated Twitter account via third party app (which is what the tokens are for in the first place) if a hacker could ascertain for which app a specific token was created.
What this means for you:
If you use Twitter, you should do two things:
- Enable login verification by going to your Twitter settings -> Account -> Login Verification. This basically sends out a confirmation to your mobile device that must be entered in order to log into your Twitter account.
- Revoke permissions to Twitter-enabled apps. You can do this by going to your Twitter settings -> Apps and clicking “Revoke Access” next to every app on the list, even the ones you might use frequently. Then, you can go back to your favorite apps and reauthenticate. This way, you can recreate the access tokens, and not have to worry about the possibility that your access tokens were among the ones shared by the Mauritania Attacker.
It’s commonly said that you either “get” Twitter or you don’t, and there is a small percentage of folks (your’s truly included) that understand Twitter but prefer other social media platforms. Regardless of where you stand on Twitter, there are millions using it to send billions of tweets, and lest you think all those pithy (and not so pithy) thoughts are gathering virtual dust on some Library of Congress archive server, researchers at University of Vermont’s Computational Story Lab have created a website that uses English-language tweets to guage the overall happiness level of the (English-speaking) world’s population.
Based upon the usage of certain words that are scored on a scale of 1 (sad) to 9 (happy), The Hedonometer crunches the numbers into a visual representation of the “world’s” happiness on any given day, going as far back as October 2008. Based upon the statistics so far, Christmas Day appears to be the happiest day of any year, and you can spot obvious low points as well, including the recent bombings of the Boston Marathon. The creators of the site plan to include other sources moving forward, including text from the New York Times, Google Trends, the BBC and Bit.ly.
What this means for you:
On a purely practical level, there is probably not much for the average human on Hedonometer.org other than intellectual stimulation. Sadly, UV’s researchers haven’t revealed the secret of happiness on a personal or global level, but their research and results do illustrate the point that many, including myself, like to make about living in the digital age: everything we do on the internet is being recorded, and in most cases, it’s being analyzed. Sometimes that analysis is academic (ie. Hedonometer.org) but as for-profit companies (think: Facebook) start to crunch the massive amounts of data they have on their servers, our collective behaviors, moods and (most importantly) needs will merely become an exercise in big-data analysis. While human welfare and profit aren’t mutually exclusive, the latter is not known for being universally conducive to the former, especially when the leaders (or stakeholders) of those companies view profit and happiness as a zero-sum game.
In a rare public admission, Apple has indicated that some of its own internal Macintoshes have been compromised in a cyberattack that security researchers believe similar to the one that breached Facebook last week. Announcements from Apple of this type are very rare, as Apple has long touted one of the strengths of its platform was how “unhackable” it was compared to Windows. In this particular case, Apple has little to lose, as it’s pointing the finger of blame for the hack at Java and a vulnerability that was taken advantage of to gain access to Apple employee computers.
What this means for you:
Apple’s recent breach is just one more notch in cybercrime’s belt that includes a long list of illustrious companies like the Wall Street Journal, Twitter, Facebook, Jeep, and Burger King, not to mention the numerous intrusions of government agencies and countless hacks of businesses that go unnoticed and un-reported. In the case of the Apple and Facebook breaches, the source has been tied to a mobile development website that both company’s employees accessed, and according to both companies, there appeared to be no evidence that customer data was compromised in the attacks. As I’ve maintained all along, the business world is now entering a new age of security unknowns as serious criminals continue to exploit technology to serve their needs, and are able to outspend and outgun the average small and medium size business. Before the age of computers and the internet, your odds of being targeted by a criminal organization were minute compared to today, where organized crime can now “crowd-source” affiliate-based networks that pay anonymous hackers in any number of a dozen untraceable ways to rent out zombified computers and webservers by the hour for a handful of dollars, and use pre-scripted attacks to launch massive, shot-gun targeted campaigns that only need to snag a small percentage of victims in order to be profitable. This is not some imaginative, cyberpunk movie plot – it’s happening right now, as you read this article. Moving forward, the only way to combat this growing threat will be a combination of vigilance and smart investments in security technology, policy and training.
Microsoft is (re)launching Outlook.com and consolidating its various “free” email service domains under the Outlook.com brand in an effort to regain the former glory it once held with Hotmail.com which has since fallen to a distant third behind Google’s Gmail and Yahoo Mail. Microsoft estimates it will be spending anywhere from $30 to $90 million in marketing in all the major media over the next 3 months on a combination of attack ads aimed at Gmail users as well as informational campaigns they hope will help persuade users to switch (back, in many cases) to Microsoft.
What this means for you:
If you already have a Hotmail.com or MSN.com email address and you haven’t already converted over, you’ll be migrated over to Outlook.com gradually as Microsoft consolidates the services under the new brand. If you are considering switching (or opening another webmail account), the only feature Outlook.com is offering that differs from the competition is Contacts stored in your online address book will automatically update information based upon information available on social media platforms like Facebook, Twitter and LinkedIn. Gmail does this with G+ but you have to resort to third-party extensions and services to mine the other social media sites for this information. Beyond this feature, Outlook.com is mostly playing catch-up to Gmail, though their marketing dollars may steal some of Yahoo’s marketshare despite the company’s revamp of its webmail service a little over a year ago.
In case you haven’t been keeping up on your popular internet news, Applebees has stumbled into the hornet’s nest known as the “Internet backlash” following the termination of food server Chelsea Welch. Ms. Welch posted a receipt she received from a customer who wrote a decidedly controversial message on the bill, refusing to pay the restaurant-suggested tip that Applebees (not the food server!) adds for serving large parties. Being of the digital age, Ms. Welch did what many do (right or wrong) when something offends them: they share it on the internet. And as things sometimes do on the internet, outrage happens.
Here’s where the fun begins. Instead of circling the lawyers around the Applebee’s camp and running some professional damage control, someone with control over Applebee’s Facebook page took it upon themselves to argue with the entire internet. They did it poorly and clearly without “adult supervision.”
Rule #1 of the internet: “Don’t get into an argument on the internet.”
Rule #2 of the internet: “Don’t post in anger.”
What this means for you:
If you are in business, and your business has an online component: Facebook page, Twitter account, G+ presence, etc., how you use that account is possibly one of the most powerful brand management tools in your arsenal. As a famous superhero is known to say, “With great power comes great responsibility.” Part of that responsibility is understanding exactly what impact your status update, tweet, post, etc. can have. In the case of Ms. Welch, she didn’t have a large audience to start with. I’m sure she shared the photo with only a handful of friends…who then went on to share with their friends…and so on, and so on. You get the picture. Also keep in mind that if you have employees, make sure they understand the responsibility they have in representing your company’s brand on the internet, officially, or informally. You don’t need to police their Twitter postings and friend them on Facebook, but it doesn’t hurt to gently remind them that if they are representing themselves as employees of your firm, that representation doesn’t end the minute they clock out at work, especially if they clearly (and proudly) display you as their employer on their social media profiles.
- 1
- 2