Traditionally I like my year-end messages to be hopeful, but as I am someone who does not mince words when it comes to your technology, I don’t come to you at the close of 2022 with a message of optimism. If anything, I want to congratulate you for surviving this year with your sanity and health intact, if not your technology security. Accomplishing all three is something to be commended, and I am sad to report that not all of our clients were as successful, including a client and good friend who passed unexpectedly this year. This post is dedicated to him, and to everyone who fought the good fight this year, either against cyberattacks, Covid and everything between.
“Don’t take security for granted.”
This is my year-end message for you: If there is one trend I can clearly point to in this past year (and in years previous), is that you are the first and last line of defense in the war for your technology security. You are the first and last line of defense in maintaining your privacy. We here at C2 Technology are willing and able to throw ourselves in front of as many attacks as we can, but we can’t be with you in every moment, everywhere you touch technology, nor should you want us there. In almost nearly all cases of hacks that we have worked through this year, and numerous others I have read about, breaches and compromises have occurred because attackers are very successful at exploiting human, not technology, weaknesses.
One thing that I know for sure is that you can count on even more cybersecurity attacks in every aspect of your personal and business technology. There is big money in compromising your security – organized crime has moved, full-scale, into funding, staffing and managing highly effective fraud call centers and hit-squads whose primary objective is to trick you into giving them access to your stuff and then cleaning house. On top of this, there is no singular magic bullet, app, governing body nor enforcement agency that can protect you. Let me reiterate – there is no perfect, monolithic solution C2 or any other organization can provide to you to keep you perfectly safe. As with cold weather, layers are better than just a single, bulky jacket. Your best defense will be a collection of services, software and best practices. Your configuration of those layers will vary based on personal or organizational need, but everyone should at minimum be considering the following:
- Constant vigilance is the key. You should assume that you are under constant cyberthreat and act accordingly. As much as it feels distasteful say this given the current political climate, you should consider yourself on cyber-wartime footing with no armistice or ceasefire in your near future. You may have heard me jokingly compare this vigilance with paranoia, but my gallows humor may have done you a disservice in making light of this situation. Make no mistake, this is very serious, and I do not see anyone being able to let down their guard anytime soon. As I mentioned above, C2 can’t always be there for a magical, “Get down, Mr. President!” moment. All we can do is attempt to train you to spot the peril. If you have employees, you should bolster their vigilance with actual, formal training – not everyone will have the same level of urgency on technology security as the principals of the organization, but training and testing will help them understand the importance and impress upon them that this is a part of their job responsibilities, regardless of their role in the organization.
- If you aren’t using unique passwords and multi-factor authentication for your critical online accounts, you are doing the cyber equivalent of leaving the keys in your running car in a dangerous neighborhood. You should check your most-used passwords here, and if any of them show up on the list, immediately change that password everywhere you used it. Right. Now. If you can turn on multi-factor authentication for your banking and other critical service accounts and haven’t already done so, do so. Right. Now.
- Back up your files to a cloud provider on a daily basis. You can get a very reliable, easy to use service for as little as $7/month, and you might already have access to a form of cloud backups through Apple or Microsoft by virtue of other services for which you are already paying. Keep in mind, services like OneDrive and iCloud are a form of short-term backup, but do not normally provide long-term recovery of files deleted more than 30 days ago, nor can they fully protect against certain forms of ransomware attacks, so make sure you consult with your friendly neighborhood technology professional about what would be appropriate for your use case.
- Keep work and personal separate. This may be difficult to do especially if you work from home on your own technology, but the more you intermingle, the more risk you take from one side or the other. This also goes for using your home network if you have family that aren’t as security conscious as you, especially seniors and young children, both of whom are particularly vulnerable to scams that most of us spot in a heartbeat. Your technology professional will have ways to segment your work and home life, but it will result in additional expense and inconvenience.
- At the business level, antivirus and malware protection has evolved into what is now known as “endpoint protection.” The free software that comes with your new PC is NOT endpoint protection, nor is the product they are trying to upsell you. The primary difference between the two is that last generation products relied heavily on definition tables and scheduled scans of your files, which is not nearly as effective against modern malware tactics that sometimes don’t even involve something being installed in your hard drive, or software that literally changes by the hour. Endpoint protection relies on algorithms that are able to analyze the behavior of softwares and services to determine if they might be harmful, and more importantly, are designed not only to protect the device on which it’s installed, but also to protect the network to which it is connected, something that previous gen antivirus software could not do.
- If you deal with any kind of PII (personally-identifiable information) where that information is stored on your computer – even if only in transit – your hard drive should be encrypted, especially if the device housing it is easily stolen, such as a laptop. Fortunately, both Windows and Mac OS do include encryption, but it isn’t always enabled, and in the case of Windows, it is only readily available in the “Professional” (more expensive) variant of their OS.
- You should be making sure your operating system and main software apps are kept up to date. Microsoft releases updates on a weekly basis, and about half of them require a reboot to full apply. Windows 10 (and to a certain degree 11) is so stable that it can go weeks without rebooting but waiting that long can cause other problems that will be a lot more inconvenient than restarting your PC. We recommend clients restart their PCs as frequently as every 3 days – this accomplishes needed housekeeping tasks as well as clearing the “virtual crud” that all PCs accumulate through daily use, especially if you like having lots of windows and apps open.
Technology security requires a holistic approach, and I don’t mean tuning your chakras and making sure your gut biome is balanced. Every aspect of your technology, from internet provider to software services, every device used in the work process, all users, and even your clients’ and customers’ technology should be reviewed and considered when formulating your security approach. The days of “set and forget” are long gone. Protecting your technology is something that will require effort and, dare I say, constant vigilance.
We’ll keep it short and sweet this week. Earlier this year, an advanced form of spyware was discovered on a small group of Middle-Eastern journalists’ iPhones that was eventually traced back to a developer in Isreal called NSO Group. Purportedly designed for law enforcement agencies to combat terrorism, the spyware known as Pegasus appears to have been utilized by one or more government agencies to spy on a select group of iPhone users. At the time, it was unclear how the exploit was being deployed, so no defense or patch could be provided to stop Pegasus from being installed. After months of research, Canadian internet watchdog group Citizen Lab uncovered the flaw and announced it this week in the news, timed in concert with a security update from Apple that should be applied immediately to all iOS devices and MacOS devices.
What this means for you
If you have a late model iPhone, Mac computer, Apple Watch or iPad, check the settings immediately for any available updates and apply them as soon as you can get to a solid internet connection and have your device connected to a power source. The iOS version you are looking for is 14.8, and on Macbooks and iMacs it will be MacOS 11.6.
- Update your iPhone, iPad, or iPod touch – Apple Support
- Update your Apple Watch – Apple Support
- Update macOS on Mac – Apple Support
As of this writing, the actual number of people who have been impacted by this flaw and Pegasus is very small, but now that the actual flaw has been revealed, there is a possibility that others beside the NSO Group will attempt to take advantage of the window that is typically open while people get patched which can be days or even weeks. While Pegasus is designed for spying, there will surely be other malware types released to attempt to exploit this flaw that may be more straightforward in doing harm. Don’t be one of the ones caught sleeping on this update. Get patched now!
Over the years since the internet has come to dominate the technology and business landscape, I’ve often compared the growing tide of malware and general bad behavior found online to pollution. Like its physical manifestation, the source of internet pollution can’t be tied to a single cause or factor or even several of them. The rising tide of malware, spam, cybercrime, and even fake news is caused by a relatively small group of ignorant, mercenary or even outright malicious agents, but because of the way the internet works, there are few practical ways to stop it from spreading everywhere. If you imagine that the internet is the ocean, this stuff is a gigantic oil spill, illegal toxic waste dump and six-pack rings spreading everywhere.
And your website is soaking in it.
Most of us access the internet like we tap our water supply – through (more or less) filtered pipes connected to the main source. Just like I wouldn’t recommend drinking your water straight out of a lake or stream without some filtering, accessing the internet without proper protections is asking for a nasty infection. But have you considered the chilling fact that your website is out there, right now, braving the internet without a hazmat suit? According to at least one internet security company, over half of all website traffic is generated by bots, and more than half of that traffic is malicious. More importantly, they found that for the smallest, least trafficked websites (0-10 human visitors per day) had the highest percentage of non-human traffic, and because they were less visible and more likely to be unattended, they were more likely to be attacked and successfully compromised. Does that sound like a website you know? Maybe your own website? On average, C2’s webserver is attacked several hundred times a day, and, let’s face it, compared to the rest of the web, we’re at the very low-end of the traffic scale.
As to why anyone would attack a site that isn’t visited that much? A compromised website has many uses, many of which actually require that attention not be drawn to the compromised activities occurring on your very own internet island. This allows the attackers to leverage your site’s computing and broadcasting power (however small), essentially drafting it into a massive mesh of zombified soldiers that aren’t limited by a workplace or home firewall. And there are a ton of low-traffic websites. It’s the internet-version of the age-old question of, “Which would you rather fight?” One massive, infected website, or a million tiny, but infected, websites?
Unless you are a skilled website administrator, securing your site isn’t trivial. Definitely leave it to the professionals, but don’t leave it undone. Your website is floating in polluted waters, and unless you take necessary precautions, your little bit of internet paradise might end up looking like the picture attached.
Image courtesy of Sujin Jetkasettakorn from FreeDigitalPhotos.net
It’s one of the oldest cons in the book: convincing a mark that they’re sick and then selling them a handy cure for the low, low price of “You just got ripped off.” Despite this sort of scam being perpetrated on the internet for years now, it’s still bamboozling lots of people, according to a recent court case brought by the FTC against a US-based company that has tricked computer users into purchasing millions in fake technical support to “fix” their computers. The scammers find their “marks” via fake pop-ups warning users that their computers are infected or performing poorly and provide a prominent phone number to call to receive tech support from a “certified” Microsoft or Apple partner (of which they are most definitely not). Once the victim calls, they are essentially tricked into believing they actually need support through carefully crafted application of legitimate tools and deceitful interpretation of events and warnings that are commonplace and not necessarily indicative of an actual problem. Once the scammers get your credit card or bank account info and get paid, they will deliver the service in the form of tech support “theatrics” which is more than likely just a script that looks impressive, but doesn’t actually do anything or might even damage your computer further. It’s also highly likely your payment info gets sold on the black market for additional profit.
Spread the word:
Clients of C2 Technology are typically savvy enough to spot this con a mile away, or at a minimum, have developed a healthy sense of skepticism to pick up the phone and call for a second opinion from someone they know and trust. It may not occur to you that, as a tech-savvy professional, you might actually be that trusted advisor for your family, friends and colleagues. Even if you don’t feel like a tech expert, you know enough to warn the people around you about these sort of scams, and you definitely know an expert who is always willing to take their call. At minimum, you should foster a healthy skepticism in the more naive or gullible loved ones, especially the ones that always seem to fall for the most obvious scams. This isn’t just for their benefit, it serves you as well. The more people around you who stay safe, the less likely you are to get infected. Thanksgiving dinners are a lot more enjoyable when you don’t have an family-spread malware infection on the table.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
In an extremely unusual occurrence, the operators/handlers of the infamous TeslaCrypt ransomware have announced they are discontinuing operations of their highly lucrative malware campaign for undisclosed reasons. Analysts speculate it could be anything from growing law enforcement attention, redirection of resources on even more virulent malware, to the unlikely scenario that the operators have made enough money and are feeling generous. Whatever the case may be, researchers from security company ESET contacted the “retiring” operators and asked them if they would publish TeslaCrypt’s master key, and to everyone’s astonishment, they obliged. Armed with this critical piece of data, ESET and others have built apps that have the capability of decrypting data that is being held captive by any number of TeslaCrypt variants dating back as far as early 2015.
What this means for you:
For one of my clients, a distant hope for this exact scenario finally paid off. Their data has been trapped in encryption for over a year, and as they didn’t have a viable backup at the time of the infection, they walked away from nearly a decade of data that was locked away even after paying the ransom. After our initial attempts to recover the data with what seemed to be a fake key, we put the data aside in the hopes that the master key would someday be recovered, possibly through law enforcement activities. Fast forward to this past weekend: after several hours of number crunching with tools provided by the brilliant folks at BleepingComputer.com and the master key secured by ESET, I was able to successfully decrypt nearly 200,000 files in what appears to be a full recovery of the “kidnapped” data.
If you happen to be among the unfortunate few who fall into this same ransomed data, backup-bereft category, your long-odds gamble may actually pay off like it did for my client. Counting on events like this unfolding for other variants of malware is still highly irrational. Last time I checked, there were still large portions of the world beset by malicious and criminal behavior, and it may never be revealed why the TeslaCrypt operators released the master key. Even if some hackers discovered compassion for their fellow humans and gave up their black-hat ways, there are ten others ready to take their place. Cybercrime continues to be a huge moneymaker for the criminal element. For this reason alone, you should continue to reinforce your technology defenses with a strong firewall, competent anti-malware and reliable offsite backups.
Image courtesy of renjith krishnanat FreeDigitalPhotos.net
Looking back over the past few weeks I realize I’ve fallen down on my job of terrifying you with news of the latest technology boogeyman. There’s a new ransomware in town and this one gets down to business in a hurry. Dubbed Petya by security company F-Secure, this vicious piece of malware works in a similar fashion to its brethren by encrypting data and holding it for ransom, with a twist: instead of encrypting just your documents, it will “kidnap” the entire disk by encrypting the master file table, and it can do so very quickly because the MFT is just the “index” of all the files on your drive. If you were to think of your drive as a book, this is the equivalent of putting a lock on the cover and holding the key for ransom.
What this means for you:
At minimum, any virus infection is going to result in a bad day even if you have a full backup of your important data. Before your data can be restored, you need to be certain the malware hasn’t spread to other machines and is waiting to pounce the moment you get the data restored. With previous versions of ransomware, the attack would leave affected machines more or less operational as the malware only encrypted documents and usually left applications and the operating system intact. Not so with Petya which locks out the entire disk. If this malware were to attack a server, it could paralyze an entire company within seconds. If you though recovering and cleaning up a workstation took a long time, double or triple the time needed to bring a server back online, and that’s only if you had full-disk backups and not just files. A malware attack is inevitable – no amount of money, time or paranoia can provide 100% protection. Your only hope for a recovery is proper data backups managed by an experienced professional. Are you ready to test your backup plan?
Image courtesy of Zdiviv at FreeDigitalPhotos.net
In a disturbing trend that bodes ill for everyone, multiple US healthcare institutions have been victimized this past month by highly effective ransomware attacks. In each instance, the malware infection has significantly disrupted operations and, in some cases, forced administrators to actually pay out thousands of dollars in ransoms to regain control of their data and IT systems. In the case of the Hollywood Presbyterian attack, the hackers initially demanded $3.6 million in bitcoin to release the data and systems their malware had encrypted, but settled for $17k. More hospitals in California, Kentucky and Maryland have also been hit and crippled by ransomware attacks, in some cases paying the ransom to regain control of their IT systems, and in other cases recovering systems and data through established data backup platforms and security protocols. And just to keep things interesting, toy-maker Mattel was also defrauded out of $3 million after falling victim to a carefully-planned an well-executed email scheme.
What this means for you:
Though some of the hospital attacks mentioned above are thought to have come from a documented server exploit known to exist in healthcare software platforms, analysts are reporting a surge in emails carrying viral payloads including new, highly-effective variants of ransomware, probably because of the highly-publicized ransom payment made by Hollywood Presbyterian. The harsh reality of this worrying trend is this: it costs criminals virtually nothing to start malware campaigns that are resulting in hundreds of millions in damages to organizations around the world, and it’s netting those same criminals an equivalent amount of money paid by desparate victims. Despite spending millions on security, businesses and individuals around the world still fall victim to this ploy because of the humble email. Previously I had written about ways to spot fake emails (and you can still spot them if you look hard enough), but given how many emails we receive, and how clever attackers are becoming, it’s only a matter of time before any of us get duped and it’s already too late after that second mouse-click. Or is it? Though the ransomware attacks managed to disrupt operations at the hospitals mentioned above, several of them were able to get back to work once the infections were cleaned out and data restored from backups. The temporary disruptions caused by the compromised systems were kept to a minimum, as was the damage to the wallet, by a tested (and now proven) disaster response and recovery/backup plan. How long could your business afford to be disrupted by a ransomware attack? Could your business survive the loss of critical data? What about the reputation damage resulting from disclosing the attack to customers? If you thought a backup platform was expensive, consider the alternative. In the case of Hollywood Presbyterian, $17k was just the down payment on a huge hit to the wallet.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
It’s not exactly a walk in the park when a cash register gets infected, but when technology on the front lines of law enforcement is infected out of the box, we have an entirely new set of nightmares to keep us up at night. It’s bad enough that our military is using 14 year-old software to operate the most powerful naval fleet in the world, and now we have to worry about police officers trying to do an already tough job with infected body cameras. As of this writing, the manufacturer of the devices has yet to comment, but according to the security firm assisting law enforcement agencies with the implementation of these devices, the cameras are shipping with the Conficker worm, a virulent strain of malware that first appeared in 2008 and continues to exploit unpatched Windows machines to this day.
What this means for you:
The more savvier among you may have already posed the question, “How on earth does a simple flash memory-based camera get a virus infection?” The original success of the Conficker worm actually came from its ability to spread via USB devices through a well-known weakness in Windows operating systems: the short-lived “autorun on insert” functionality would execute a script on an infected thumb drive, infect the host computer with the Conficker virus, which would in turn search for any attached networks and other USB devices to infect. Police body cameras are designed to record data to built-in flash memory, and then have that data transferred via USB to a computer. See where this is going? Imagine your local, overworked Police Departments now being overrun by a 6 year-old virus. On top of this, it’s not a stretch to imagine savvy defense attorneys calling into question the integrity of video footage captured by compromised hardware. Though Confickers true purpose was never discovered, it infected millions of PCs. It’s not hard to imagine a new wave of malware infections brought on by untested and widely available devices like web cameras, USB chargers and many other devices that make up the rapidly growing “internet of things.”
Fortunately for the law enforcement agencies that purchased the equipment, their integrator was on their game and detected the infection before the cameras were put into the field. This only came about because the computers to which the cameras were attached were protected by up-to-date and reputable antimalware software. While it won’t be the magic bullet we all wish existed, solid antimalware protection will go a long way towards preventing disaster in your organization. Don’t skimp in this regard – it might put more at risk than you think.
As if Volkswagen didn’t have enough to worry about with the emissions scandal, European security researchers have demonstrated a proof-of-concept exploit that can allow an attacker to covertly disable airbags (and other systems) in the German manufacturer’s autos. Unlike the more dramatic wireless hacking demonstration of Jeep vehicles that caused a massive recall, this particular exploit requires actual contact with the car, either via a compromised laptop or malicious USB device connected to the vehicle’s diagnostics port. To demonstrate the hair-raising potential of this exploit, the hackers were able completely disable the airbag, but have the onboard software continue to report the system as functioning properly. For now, the hackers limited their hacking to this proof-of-concept, but they believe that with further testing and research someone could develop malicious code capable of executing more serious system disruptions while the vehicle was in motion, and perhaps long after the infecting device was removed.
What this means for you:
We are rapidly approaching a future where most of the devices upon which we rely will have embedded computers. Here’s a short list of items that already appear in homes and have this capability right now:
- Burglar alarms
- Surveillance systems
- Major appliances (refrigerators, ovens, washing machines)
- Door locks
- Lighting systems
- Electrical meters
- Gas meters
- Fire and life-safety systems
As the researchers of the Volkswagen were quick to point out, the problem wasn’t with Volkswagen’s engineering, but a weakness in a third-party diagnostic system, an easily compromised laptop – mechanic’s don’t have special devices, they use the same gear we use – and our willingness to plug things into our devices without specialized knowledge or assurances of security and safety. Many of the items listed above are easily accessible by visitors, repairmen and sometimes complete strangers, and even though the infecting agent may be completely unaware the device they are connecting to your devices is compromised, the damage is already done once it gets plugged in. Once again, the weakest link is the human, either us or some hapless mechanic. It’s important to be aware of all the systems with which you surround yourself, as well as who is servicing them, and whether they themselves are taking the necessary precautions to stay safe.
Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.
What this means for you:
Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:
- No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
- The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!