We’ve discussed in previous blogs how technology things seem to be getting worse from just about every angle, whether it’s cost, quality or security. We can attribute a large chunk of this downward trend to the increasing profitability of cybercrime, which is itself a vicious, amplifying spiral of escalation. The more we try to keep ourselves safe, the more complicated it becomes to do so, and most regular folks don’t have the training or endurance to keep up, especially if you are a part of the growing elderly generations that are forced to use technology they barely understand just to stay alive and keep in contact with friends and family. With the recent (in my opinion ill-advised) downsizing the Cybersecurity and Infrastructure Security Agency (CISA) much of the this country’s organizational strength and operational efficiency in cataloging and combatting cybersecurity threats will be abandoned.
What this means for all of us
Regardless of whether you are a big or small organization, CISA’s leadership and work provided foundational guidance on all existing cybersecurity threats while constantly researching, investigating and publishing information on new threats as they discovered. One of the main reasons that governments exist is to provide funding, resources and scaled force for tasks that cannot (and should not) be handled by smaller groups or for-profit institutions, such as military defense, mail delivery, and national security. As has been demonstrated time and time again, for-profit companies cannot be trusted to put people before profits, and security oversight is definitely not something you want to enshittify. And yet, that is exactly where we are. In the absence of CISA leadership, organizations, whether they be ad-hoc coalitions of state-level agencies or, most likely, for-profit companies in the security industry, are now scrambling to fill the gigantic, CISA-shaped hole in our nation’s cybersecurity. Let’s be clear, security for small businesses was already well on its way to becoming difficult, expensive and onerous. Eliminating national leadership will most definitely lead to a fracturing of an already complicated security framework that will most assuredly weigh very heavily on those who can least afford to shoulder a burden that was formerly carried by those trained, equipped and funded to do so.
California is one of 7 states participating in a pilot program that allows drivers to store their license on their phone in their Apple or Google wallet. California’s rollout is part of a larger project called “Digital ID Framework” which lays the groundwork for a much broader implementation of identification that is intended to supplement and eventually replace physical ID’s like Passports, government badges, and Driver’s Licenses. Their vision is to link the various State-certified credentials, government programs with day-to-day practicalities like checking in at an airport, purchasing groceries through EBT, or proving to local agencies that you are a licensed cosmetologist. But don’t throw your Driver’s License in a drawer just yet.
What this means for you
First off, California’s pilot program is limited to 1.5 million participants at the moment, and obviously you will need to have an Android or late model Apple smartphone with a functioning digital wallet. Additionally, using Apple or Google’s wallet mobile Driver’s License only grants you the ability to use it to verify your ID at airports, so unless you are a frequent traveler, adding your license to your digital wallet is really more of a novelty at this point. The DMV also has a wallet app that adds a little more functionality: in addition to using it at Airports, the DMV wallet app allows you to verify your age at a select few stores in San Francisco and Los Angeles, and the reader function of the app allows you to verify identification of other DMV wallet users. Not exactly the bold new world you might have originally envisioned.
More importantly, your California mobile Driver’s License cannot currently be used for things like traffic stops or other law enforcement verifications. Some states like Louisiana and Colorado have begun adoption at this level, and as I mentioned above, California intends to expand capabilities of their Digital ID Framework to eventually make your phone a valid ID for this exact purpose. Until this comes to pass, and even when it does arrive, privacy advocates are recommending that you never voluntarily surrender your phone to law enforcement for any reason without a proper search warrant and legal representation. Even the Supreme Court has ruled in this matter. Even if you’ve done nothing wrong and are confident that there is nothing incriminating on your phone, it does not mean the person requesting your phone won’t abuse your privacy or their authority. For now, even if it seems like a very convenient feature, keep your phones in your pocket and your Driver’s License handy.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
This particular story could be one of dozens (or even hundreds) of these types of incidents that occur in any given week: “government official gets social media and email accounts hacked” which then leads to highly confidential data being leaked on the internet. Except in this case it was the current US Central Intelligence Agency director John Brennan, and several other highly-ranked government officials, and the data that was leaked was data from nearly 30k Federal Bureau of Investigation and Department of Homeland Security employees. Also unusual was that the hackers charged in this breach aren’t Russian or Chinese or North Korean. Nope, at least one of the responsible parties hails from North Carolina. And the real reason I’m bringing this story to your attention was this most important facet of the attack: Brennan and the other victims in this incident weren’t compromised through sophisticated malware and technology – the attackers fooled people associated with the victims – usually service providers – through simple tools like emails and phone calls, under the guise of providing technical assistance.
What this means for you:
“Social engineering” is the digital-age equivalent of con artistry, and it is becoming trivially easy to perpetrate given our reliance on tools like email and large, impersonal corporations. In the case of the above, one of the cons included the hacker actually posing as a Verizon technician in order to fool another Verizon employee into resetting Brennan’s email password, and they just worked their way inward from there. As you should know by now, once a hacker is in your email, it’s all over but the crying. Sadly, there’s not much you can personally do to improve poor security practices at companies like Verizon, and despite impersonation being one of the oldest cons in the book, people still regularly fall for it.
It’s only a matter of time before anyone gets hacked – we are human after all, and despite what you might want to believe, there is always someone more clever than you out there, and if you are unlucky, that person is out to get you. You can practice something that is well known to outfits like the CIA and FBI: compartmentalization. Since none of us are intelligence agents (that I know of!), for our purposes this means keeping personal and work activities separate. You can execute this concept in a number of different ways:
- Keeping work and personal emails in separate accounts
- Use separate devices for social networking and financial activities like online banking
- Use unique passwords for all your important accounts
- Exchange confidential information through appropriate secure channels
- Store confidential information in properly secured and backed up locations
- Require two-factor security for your most important accounts
The key to proper execution of this practice is discipline and vigilance. It may be inconvenient and seem inefficient, but weighed against the alternatives, it will be worth the effort.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
The good ship Yahoo is still battling troubled waters on its journey to the safe harbor of a Verizon purchase. Reuters has just released a massive bombshell that may blockade if not outright scuttle the $4.8bln deal: two former employees of the beleagured media company have alleged that Yahoo complied with a classified directive from a government agency to directly surveil the millions of email accounts hosted by Yahoo in 2015. According to the Reuter sources, the decision to open Yahoo Mail’s kimono was made behind closed doors, excluding Yahoo’s then Chief Information Security Officer, who apparently resigned because of this incident.
Whiskey Tango Foxtrot, Yahoo?
Normally, I don’t urge folks to get out the pitchforks and torches, but on reading this I actually used language not normally heard in polite company. Thus far the government agencies named are declining comment. If the allegation proves accurate, I’d say Yahoo customers had their Fourth Amendment rights violated and thoroughly trod upon any trust they might have had left with their still substantial customer base. Coupled with the recent massive breach they experienced in 2014 and the debacle that was their conversion to a new email platform in 2013, it’s no wonder Yahoo has gone from an Internet powerhouse to second-tier media company up for sale. If you are still using Yahoo as a primary email provider for work, you should stop doing so immediately, not only for security issues that they can’t seem to get ahead of, but now for serious breaches of privacy and trust.
Apple made a big splash last week when CEO Tim Cook published an open letter in response to the FBI’s request and subsequent court order to hack the iPhone of the primary assailant in December 2015’s San Bernadino mass shooting. As one might expect, Mr. Cook basically told the government that they would not comply, and fortunately, they might be the one company that could afford to fight this battle in the courts. Though the tech industry has typically maintained a similar stance on device encryption, even the most staunch champions of digital privacy such as Google and Twitter have had suprisingly muted responses to the growing battle. Also revealing is a recent Pew poll that suggests while the tech industry may be largely united on device encryption and government backdoors, the American public isn’t quite sure what to think about this complex issue.
What this means for you:
Late model iPhones ship with encryption enabled by default, and as long as you enable some form of authentication on your device, the data on that device will only be accessible if you unlock it. Law enforcement can’t break the encryption, and Apple, by it’s own admission, cannot decrypt your phone’s contents with out the proper authentication, even if the phone owner asks them to do so. If someone tries too many times to guess your pin, the device will be automatically wiped – no intervention from Apple or your carrier is required. The FBI is demanding Apple create a way for them to unlock the iPhone of the San Bernadino shooter, which if Apple were to actually accomplish such a feat, could theoretically allow anyone with possession of this backdoor to decrypt any iPhone protected by similar technology. Like the atomic bomb, the development of this backdoor cannot be unmade, nor will it remain only in the hands of the “righteous”. While the data on the SB shooter’s phone may prove useful in providing some closure to the incident and may even help further other domestic terror investigations, it’s easy to see that the FBI means for this case to set a precedent that will give them unfettered access to an area that has traditionally been protected, both by law and by technology.
Adobe Flash can’t seem to catch a break. Their most current black eye has arrived in the form of yet another zero-day exploit of a vulnerability in the latest versions (19.0.0.185 and 19.0.0.207) of the browser plug-in. According to Trend Micro’s blog, the hacking group Pawn Storm is targeting government workers via spear-phishing emails that contain links to news about current events. Instead of taking them to a legitimate news story, the links lead to compromised websites that can install malware onto the victim’s computer via the aforementioned exploit. Rather than the usual identity theft, this group seems to have a more politicized agenda and bears similarities to attacks on NATO from last year.
What this means for you:
If you are new to this blog, you may not have been briefed on the #1 Rule of Personal Technology Security: “Don’t click strange email links.” Even clients who have weathered years of me saying this sometimes let their guard down, so Rule #2 is “Be prepared for the worst,” which you should interpret as (1) having a strong firewall, (2) trusted anti-malware installed, and (3) a contingency straegy that includes backups and plans for operating without core infrastructure when things do go wrong. The sad matter of fact is that cyberattacks will get past anyone’s mental guard – we are only human after all – at which point properly installed and configured technology can act as a safety net. Note the emphasis – poorly implemented security is worse than nothing at all in some cases. When you have nothing, at least you aren’t lulled into a false sense of security. And don’t count on the (perhaps prematurely reported) death of Flash as means to improve everyone’s overall security profile. We haven’t quite seen the end of Flash just yet, and there are plenty of other platforms (Java anyone?) that could easily take its place if and when Adobe finally puts this software out to pasture for good.http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
In 1986, Ronald Reagan is quoted as saying, “The nine most terrifying words in the English language are, ‘I’m from the government. I’m here to help you.'” As relevant as that sentiment was in his day, it’s still ringing true, this time with at least three government websites that are doing you no favors in terms of protecting your identity. Krebs on Security has an alarming report of identity theft and fraud via the IRS.gov website wherein he shares the story of a taxpayer who discovers someone has already filed a fake tax return under his name, for the purposes of stealing his tax refund. At fault is a identity authentication standard known as KBA, or “knowledge-based authentication” which is pretty widely used in the credit reporting and finance industries. Basically, you prove you are you by answering questions that supposedly only you would know, including former addresses, loan amounts or payments, and other personal data that is – surprise, surprise – readily found on the internet. By anyone.
What this means for you:
Ironically, people avoid creating accounts on websites because they are afraid of their data being leaked. And now you get to be afraid of NOT creating an account on a website for fear of someone else creating it for you, with the added “bonus” of this fake account further decreasing the probability of you being able to prove you are actually who you say you are. “Invasion of the Body Snatchers” anyone? What makes this situation alternately terrifying and ludicrous is that it’s our own government creating this mess in an effort to provide better reporting, accountability, and accessibility. The other two sites that are also potentially weak to this “account snatching”? How about the Congress-created AnnualCreditReport.com and another federal behemoth: the Social Security Administration website. Brian Krebs’ recommendation is to make sure you get an account established for these three website pronto, if only to prevent someone else from pretending to be you and creating accounts that will be used to commit fraud and money laundering. Unfortunately for most of us, the surge of interest created by this article (and blogs like this one) have essentially paralyzed (are you surprised?) the account creation process of these websites, but keep trying, if only to let them know we actually care about our identities enough to want properly secured government websites.
Despite what US mainstream media might be conveying with their breathless coverage of celebrity accounts being hacked for their lewd selfies, not all hacking activity is for titillation or criminal exploitation. A duo of hackers, self-dubbed LulzSecPeru, have penetrated multiple Peruvian government websites and servers, defacing webpages and stealing confidential data as a demonstration of their hacking abilities and purportedly to shake things up politically. Among the data stolen were several thousand emails from the former Prime Minister, which revealed the presence of possible undue influence by Peruvian industry lobbies. The sudden transparency nearly forced the resignation of the entire cabinet in a Congressional vote of no confidence which only missed passing by one vote.
What this means for you:
Once again, hackers prove that if it touches the internet (and sometimes even when it doesn’t), privacy breaches are just around the corner, especially when what is hidden is likely to be highly valuable to someone. Though this particular feat was slightly less salacious than the celebrity breaches, the only rule of thumb that can be followed is this: if you don’t want your “dirty little secrets” spread all over the internet, don’t put it on an internet-facing computer, cloud server or mobile device. Information, especially confidential data, is the new currency of the world economy, and as with all currencies, most folks will go to great lengths to amass it, especially if it has the potential to undermine authority or generate wealth. Complete isolation from the internet is impossible for most businesses, but you should review very carefully what information is stored where, and the potential damage it can cause your company if it were stolen or exposed in a security breach.
- 1
- 2