Unless you’ve been living under a rock for the past year, most will leap to the conclusion that I’m writing about the ongoing government snooping that seems to permeate the internet these days. Unfortunately, another of the tech industry’s dirty little secrets is being dragged out into the light of day, and it’s something you’ve probably known all along but didn’t want to acknowledge: Your email is not private. Microsoft recently underlined and highlighted this fact by releasing details on an investigation into an ex-employee’s attempt to sell confidential information. The individual in question was identify primarily through the contents of his Hotmail account, which Microsoft openly admits to reading. While this may seem to be a blatant and gross invasion of privacy (it is), it’s also well within Microsoft’s rights as outlined in the Terms of Service every single customer agrees to when creating and using the free webmail account.
What this means for you:
Before you think this is a Microsoft bashing party, Google and Yahoo have the same sort of Terms of Service, as does just about any other email provider out there. They can read your email any time they want to, and they don’t have to get a search warrant like law enforcement supposedly has to do. They own the equipment, software and data services that deliver your email, and they assert openly in the Terms of Service in one way or another that your email is not yours to keep private. You might also want to review your employer’s information security policy: it’s highly likely that they advise you that any email transmitted through their servers is company property, and is subject to review at any time. This is not something new – policies like this have been around since email first started being used in large organizations that could afford lawyers.
The only way to keep email truly private is to use end-to-end encryption, a process that most people find daunting to establish, and inconvenient to use. Until there is a radical change in how we communicate on the internet, the only way to truly keep things away from prying eyes is to not put them on the internet in the first place.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Microsoft has released a security advisory that warns of a new zero-day weakness that is currently being exploited on the internet. Depending on how you interpret their choice of wording – “targeted attacks” – the scale seems to be relatively limited for the moment, but given that the compromised app is Microsoft Word and is not limited to a specific version, the potential attack surface is huge. And it gets better: the delivery mechanism is a hacked RTF file that once opened can lead to the targeted machine being completely compromised. While RTF files aren’t as widely used as the default “.doc” and “.docx” formats, they are used to export and import documents from Word to other word processing platforms like Wordperfect, LibreOffice, OpenOffice and Apple Pages.
What this means for you:
Microsoft has issued a temporary fix which merely disables the ability for Word to open RTF files, but as of the moment there is no ETA on a patch delivered by Windows Update. We recommend applying this Fix-it if you are at all unsure what an RTF file is, or how to tell the difference from other Word and Email formats.
The most vulnerable user to this exploit is actually someone who uses Word to view formatted emails delivered via Outlook. Normally, Outlook is not set to view emails using Word by default, so if you didn’t set Outlook to do this, you only have to worry about Word. If you did, disable this feature and use Outlook’s built-in email viewer to read formatted emails. For Word users, don’t open RTF files, even if they come from a trusted source, and don’t send any RTF files, as your recipients may be exercising the same level of caution. If you have to exchange data using RTF, make sure you communicate thoroughly with your recipients, and choose another platform other than email to exchange files, primarily so there is no chance they could mistake a trojaned RTF for a legitimate file.
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
One of the most effective malware infection vectors in use on the internet is what’s known as the “fake antivirus attack”. Upon visiting a compromised website, even one that is supposedly legitimate like the DailyMotion (not linked for obvious reasons), a pop-up is displayed that warns the user that their computer is infected, and offers to clean up the infection. Clicking on that button typically leads to the actual infection, which usually starts out as an annoying infestation of adware and popups, and will typically escalate into a barrage of more malware, up to the incredibly vicious rootkits and ransomware which will render your computer inoperable, your data irrecoverable and your identity, bank accounts and credit rating at serious risk.
How do you spot the fakes? Unfortunately, it’s becoming increasingly more difficult, as the cybercriminals are now investing more effort into making these counterfeit warnings look like the real thing. In the case of the DailyMotion vector, the pop-ups were designed to look like Microsoft’s own widely-used and competent Security Essentials antivirus software, a product that I install on many of my clients computers. At first glance, the pop-up does a passable rendition of the real software, and someone not paying attention could easily be fooled. If you want to see what this type of pop-up looks like, and the resulting infection, watch this short video produced by Invincea, a security software company based in Fairfax, VA.
What this means for you:
Even hardened internet travelers might be taken in by well-crafted popups, but there are certain ways to tell if it’s a fake:
- Your antivirus software won’t require you to install an EXE to perform the scan. It’s already installed. If it was a legitimate warning, clicking the button would start the scan, and not a download of software. Windows Vista and up will stop and ask permission to run any executable, even ones from legitimate companies, so if you see your OS asking if it’s OK to install this program, stop what you are doing immediately.
- Close your browser and any windows associated with it. Close any open programs. Manually start your installed antimalware software by selecting it from the Start Menu, or from the System Tray in the lower right of your screen. Run a full scan. Even if everything comes up good, remain vigilant!
- Fake pop-ups also come in the “Your software needs to be updated to view this website” variety. The most common variant of this is Adobe Flash. Again, close all windows, manually relaunch a web browser and visit the software manufacturer’s website to find out if an update is available for your software.
Still unsure? Note the website URL that triggered the questionable pop-up, take a screenshot if you can, and call your IT professional for further advice.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
If you thought you were the only one still using Windows XP, you are still in good company despite Microsoft’s widely publicized plan to end official support for the operating system in April of this year. NetMarketShare.com’s January 2014 report on installed desktop operating systems shows that an estimated 30% of the world’s computers are still using Windows XP, an operating system that is now approaching 13 years of age. NetMarketShare bases its statistics from metadata gathered by 40K websites around the world, so its also likely that this percentage may actually be slightly higher, as many XP machines are likely being used in legacy systems that do not require internet access to function.
In case you were wondering what that 30% equates to in actual numbers, there is an estimated 1.5 billion computers in use today. Based upon that number, it’s possible that several hundred million computers may continue to run an OS that will no longer get security updates from Microsoft, a number that has security analysts everywhere hyperventilating. Even though most anti-malware vendors will continue to provide support for XP, it will become increasingly difficult for them to remain effective on an OS for which Microsoft itself is abandoning.
What this means for you:
If you were thinking, “Well, this doesn’t impact me, I’m on Windows 7/8,” think again. Many cyberattacks are driven by zombified PC’s that have been gathered together into “Botnets” that can focus an incredible amount of processing power on anything they are rented to do, including sending out millions of phishing emails, spam and other nefarious activities. In the current state of desktop security, it’s commonly held wisdom that being targeted by a cyberattack is not a question of “if”, but of “when”. Cybercriminals rely on compromised resources to much of their dirty work, and their arsenal could become radically reinforced by the millions of computers still running XP, especially now that it will no longer be patched by Microsoft after April. If you are still operating PC’s with Windows XP, you should seriously consider upgrading those systems to a more modern OS if possible, and if an upgrade isn’t possible, replace them ASAP, as they will become an increasing liability for your organization.
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
Last week, Google made a change to it’s widely used webmail platform Gmail: instead of asking if you want to “show images” in emails, Gmail will automatically display them by default instead of asking permission. This particular behavior is also seen in the other two webmail titans (Yahoo and Microsoft), as well as a common feature in mail clients like Outlook. Why aren’t images loaded by default? Primarily because when you open that email full of graphics and you actually want to see them, the mail client (or webpage) makes a request to the server hosting the images, which is usually the same server that sent the email in the first place.
If that sounds like a sneaky way to confirm that you’ve opened a particular email, that’s because it is. This process reveals certain data about the recipient, including date and time of opening, what browser or mail client you are using to view the email, as well as some rough geographical data about your location, based upon your IP address. So why is Google loading images by default? It’s because now they are caching the images to their own server, and then showing them to you, which effectively acts as a proxy between you and the sender, and blinds many marketers who were relying on the image requests to track you.
What this means for you:
Whether you realized it or not, your email client’s annoying tendency to not show you images in emails was actually in your best interests. Because displaying images required you to actively “opt in” by choosing to view the graphics, if that email was sent by a marketer, you sent them a nice packet of data and a positive affirmation that you saw the email, whether you intended to or not. With Gmail’s image caching, some of that data is no longer being unwittingly sent by its customers, however, notice that I wrote “some.” The more clever marketers out there (including Mailchimp, the service I use for my own email) tag email images individually, so they can still track opens, as Gmail still has to load the image to its servers before showing it to you. In my case, this is merely so I can tell if anyone is reading my newsletters, but even that one point of data is still valuable information to email marketers, and you can bet they will find other ways to track your online activity.
It’s nice that Microsoft can keep guys like me busy. Luckily, exploitation of their latest zero-day weakness seems to be limited (so far) to an advanced persistent threat (APT) attack targeting users of a specific national and international security policy website. This particular exploit is being delivered in a traditional “drive-by” attack when users of the English-version of Internet Explorer (specifically IE 7 and 8 on Windows XP, and IE 8 on Windows 7) visit this website. What distinguishes it from past threats is this malware’s ability to write malicious code directly to memory and then execute without writing to disk, a technique that makes detection and remediation much more difficult.
Microsoft intends to release a patch for this vulnerability as early as tomorrow (Nov 12). This is very fast for someone like Microsoft, and may be an indication of how serious this particular vulnerability might be.
What this means for you:
Though the exploit seems to be narrowly targeted at the moment, security researches say it wouldn’t be hard to manipulate the existing attack software to affect all versions of IE from 7 through 10, and any language in which IE is distributed. Assuming you have the leeway to do so, I still recommend using another browser like Chrome or Firefox, which still have a better track record when it comes to catching and patching weaknesses like the above. If you are required to use IE, make sure Windows Update is functional, and that you apply all critical and important updates as they are downloaded to your computer. Larger companies may control how frequently Windows Updates are applied in their enterprise, but don’t be afraid to ask your resident IT representative if they are taking steps to keep Internet Explorer safe for your use.
Microsoft zero-days seem to be happening so frequently, I’m running out of clever bon-mots to introduce these warnings. “What now?” I hear you ask. Users of Vista (Windows machines circa 2007) or Server 2008 (still in wide use everywhere) are affected by a vulnerability in versions of Microsoft Office 2003-2010. Let’s skip the gory technical details: this exploit uses a hacked image inserted into a Word document to run code that can lead to the victim’s computer being completely compromised and subject to remote control. Microsoft has not yet announced a patch for this vulnerability, but they have released a Fixit that can be run on the targeted machines to close the security hole.
What this means for you:
Security analysts are already seeing attacks utilizing this vulnerability in the wild in Asia and the Middle East, so it’s only a matter of time before victims start cropping up here in the US. If your Windows machine is running Vista, it’s highly likely you are also running a version of MS Office affected by this vulnerability. Run the Fixit immediately and consider upgrading your OS. If you have Microsoft-based servers in your environment and they are more than a year or two old, it’s highly likely they are running Server 2008, but less likely that Office is installed on the device. Your server administrator will know best how to handle this particular issue. As always, contact the sender to verify any unexpected attachments before opening them, make sure your computer is fully patched and protected by up-to-date antimalware, and double-check that your data is backed up, preferably to an offsite and fully encrypted location.
Earlier this year, CEO Thorsten Heins of beleaguered tech company BlackBerry infamously stated, “In five years I don’t think there’ll be a reason to have a tablet anymore.” The press had a field day with this quote and the explosive growth of tablets in 2013 alone seems to be proving otherwise. As if to rub Mr. Heins’ and other tablet-doomsayer’s faces in it, October is seeing the launch of multiple new tablets, including new lineups from Microsoft, Nokia and Apple, all essentially debuting on the same day.
Apple dominated the American media on Oct 22 with the debut of “the lightest full-sized tablet” on the market, the iPad Air, weighing in at a diminutive single pound. It also updated the wildly popular iPad Mini with its high-resolution “Retina” display, bringing the 7″ tablet up to par with competing models from Google and Amazon. In an attempt to not be out-done (and sadly not quite succeeding in that effort), Nokia announced its first tablet today as well. The Lumia 2520 will run Microsoft’s Windows RT, a move that analysts questioned given the tepid consumer response to Microsoft’s tablet OS, but is not unexpected in light of the Redmond tech-giant’s recent acquisition of Nokia’s hardware business. Not wanting to be left out of the tablet party, Microsoft held its own midnight release event on Oct 21 at its retail stores around the country to celebrate the arrival of the Surface 2. Despite loud music, flashy displays and enthusiastic staff, the Surface 2 launch parties seemed to be (unsurprisingly) sparsely attended.
What this means for you:
If you’ve been holding off on buying a tablet for some reason, the market is currently overflowing with choices, and many of them are very strong on features and backed by staunch developer support and healthy ecosystems, notably the iOS and Android family of products. Though many are saying it’s too early to tell, the Windows RT and Windows 8 tablets have a stiff, uphill climb in the market, something that is keeping developers away from the OS, leaving Microsoft’s app marketplace relatively barren compared to the competition. There’s been a minor stir of interest in the Surface tablets from the arts industry, primarily because of the hardware’s robust pressure sensitivity, but unless you have a specific use case in mind, I’d steer clear of the Windows tablets for now. If you’ve been concerned about the size and weight of the 10″ tablets (very hard to use as bedtime readers or if you spend any time as a standing commuter) you can’t go wrong with a 7″ tablet from either Apple, Google or Amazon, all of which now feature high-definition screens, robust app stores and great portability.