Usually Apple is able to sit on the sidelines of today’s technology security circus , enjoying a (debatable) reputation for being more secure than Windows and even Android. Unfortunately, it had to step into center stage this week and own up to a security flaw in its core networking code used in both iOS and OS X. And not just a little one either: this one affects how SSL-encrypted network traffic is handled, and it affects iPhones, iPads running iOS 6 or 7, and any computer running OS X 10.9 “Mavericks”.
What this means for you:
In a nutshell, the bug essentially prevents the affected device from verifying the identity of the certificate used to guarantee the SSL encryption. When your Apple device fires up a secure connection using SSL, the first thing it’s suppose to do is check the SSL certification of the destination by verifying it’s identity. Except, in the case of the bug, it doesn’t but reports back to the device that everything is OK. This would be the equivalent of putting a blind doorman in front of your bar to check ID’s. Apple has released a patch for iOS 6 and 7, but still has not issued a fix for the OS X platform.
For now, until you verify you’ve patched your mobile device with the latest security update for your version of iOS, I recommend against using any applications that transmit confidential data (your’s or your client’s) over the internet. On the desktop/laptop side, avoid using Safari until OS X is patched, and switch to a browser like Chrome or Firefox, both of which implement their own SSL code that is not affected by this flaw. To keep track of whether or not Apple has fixed this hole, you can visit: http://hasgotofailbeenfixedyet.com/
Update: As of Feb 25, Apple has issued a patch for OS X 10.9. Make sure your Apple devices update to the latest version of their corresponding operating system.
It’s getting so that it might be easier to publish a list of companies that haven’t been hacked. Sadly, this week it’s dot-com darling Kickstarter and Wall Street stalwart Forbes.com, both of whom were hacked and user data exposed. Where Forbes almost immediately acknowledged that it had been hacked (unavoidable as the infamous Syrian Electronic Army announced that it was behind the attack), Kickstarter got on the wrong side of some folks for delaying it’s own announcement that it had been breached earlier in the week. Waiting almost 5 days before sending out an email to its users was viewed by many pundits as everything from lacksadaisical to outright criminal. In both cases, user names, email addresses and passwords were stolen, though both companies state that the passwords were encrypted which would make it difficult, but not impossible for hackers to crack weaker passwords in the stolen data.
What this means for you:
If you had accounts on either of these websites using passwords that you use elsewhere, you need to go out and change that password everywhere else it was used – preferably with a unique one for each website. I had accounts on both of these websites, but I’m less worried as both were unique to the websites and will never be used again. Until the technology industry can come up with a better way than passwords to secure our safety, your next best bet is to generate unique passwords everytime one is needed. Utilities like LastPass, Passpack and 1Password are invaluable for this sort of practice and are worth their weight in gold.
It’s also worth noting that in the case of the Forbes hack, their security was compromised by a targeted phishing attack. By responding to fake emails, duped employees revealed passwords that gave the attackers access to the WordPress engine that powers the Forbes.com website. Kickstarter has yet to reveal the nature of their security breach, but I wouldn’t be surprised if a similar phishing attack cracked their security. Phishing emails are becoming increasingly harder to spot as cybercriminals pour more effort and money into crafting effective attacks. The only protection is to be suspicious of everything, and to never click links in emails before independently verifying where they actually lead.
Several models of popular Linksys-brand routers may impacted by a self-replicating worm that can exploit a security flaw in the router’s programming. The exploit allows attackers to install a worm in the firmware which can lead to further security breaches on any device connected to that router’s network. According to Linksys, this exploit requires that the routers have the “Remote Management” feature enabled on the device, a setting that is disabled by default on Linksys routers. Depending on who set up your router, this setting may have been enabled expressly for remote management purposes, and as such your device is vulnerable to the worm, dubbed “TheMoon”.
What this means for you:
Linksys routers are a popular choice for home and small businesses. Unless you know for certain your router is not a Linksys device, I would put an eyeball on your router and check the make and model against the list below. Your network router is a critical point in your network’s overall security, and a compromised router can lead to a variety of problems and significant invasions of your privacy and safety. Even if your Linksys model is not named below, it’s important to check whether or not “Remote Management” is enabled on your device.
As of now, the following model routers are affected: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. Linksys hasn’t confirmed whether this list will grow, as it does not want to reveal other models and make them targets for attacks. Until Linksys can patch the loopholes and issue firmware updates the only workaround is to disable the Remote Management feature, install the latest version of the firmware available, and reboot the router to clear any possible worms.
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
Customer’s of Comcast’s Xfinity broadband service are slowly coming to discover that their new in-home routers are being used as wi-fi hotspots for any other Comcast customer within range of the router. Comcast introduced the service in mid-2013, but seems to have not taken great pains to ensure that its customers understood exactly what the service was. Many consumers just assumed when Comcast said “hotspot” that it meant they would now have wireless internet in their home. The new routers do provide that feature, but additionally they are also programmed by default with another wi-fi network labeled “xfinitywifi” which can be accessed by any current Comcast account login and password.
What this means for you:
If you are a new Xfinity subscriber, or had your Comcast router replaced in the past 6 months, your new equipment may be providing this hotspot. Anyone with a Comcast account can use your hotspot to access the internet. Keep in mind, this doesn’t require them to actually be the account owner – all any wi-fi device needs is that account’s login and password. Assuming they know it, anyone can use that login information anywhere an Xfinity hotspot exists.
Regardless of how savvy you are with your home equipment, you can’t disable this feature yourself – you have to call Comcast to have them turn it off. According to Comcast, the impact on your bandwidth of providing this hotspot should be minimal, and is helping them provide more accessible wireless bandwidth to other Comcast customers in your neighborhood. The question you need ask yourself is whether you feel its appropriate for Comcast to use equipment in your house as an extension of services provided to people you don’t know.
It’s still too early to tell whether having a hotspot on your home network is inherently less secure, but think of it like this: Imagine your property sat in front of a popular amusement park. The amusement park has asked if they can provide entrance to their park that requires customers to traverse your property via a secured walkway. They promise they will keep your property completely safe, private and separate. Would you allow that walkway?
One of the most effective malware infection vectors in use on the internet is what’s known as the “fake antivirus attack”. Upon visiting a compromised website, even one that is supposedly legitimate like the DailyMotion (not linked for obvious reasons), a pop-up is displayed that warns the user that their computer is infected, and offers to clean up the infection. Clicking on that button typically leads to the actual infection, which usually starts out as an annoying infestation of adware and popups, and will typically escalate into a barrage of more malware, up to the incredibly vicious rootkits and ransomware which will render your computer inoperable, your data irrecoverable and your identity, bank accounts and credit rating at serious risk.
How do you spot the fakes? Unfortunately, it’s becoming increasingly more difficult, as the cybercriminals are now investing more effort into making these counterfeit warnings look like the real thing. In the case of the DailyMotion vector, the pop-ups were designed to look like Microsoft’s own widely-used and competent Security Essentials antivirus software, a product that I install on many of my clients computers. At first glance, the pop-up does a passable rendition of the real software, and someone not paying attention could easily be fooled. If you want to see what this type of pop-up looks like, and the resulting infection, watch this short video produced by Invincea, a security software company based in Fairfax, VA.
What this means for you:
Even hardened internet travelers might be taken in by well-crafted popups, but there are certain ways to tell if it’s a fake:
- Your antivirus software won’t require you to install an EXE to perform the scan. It’s already installed. If it was a legitimate warning, clicking the button would start the scan, and not a download of software. Windows Vista and up will stop and ask permission to run any executable, even ones from legitimate companies, so if you see your OS asking if it’s OK to install this program, stop what you are doing immediately.
- Close your browser and any windows associated with it. Close any open programs. Manually start your installed antimalware software by selecting it from the Start Menu, or from the System Tray in the lower right of your screen. Run a full scan. Even if everything comes up good, remain vigilant!
- Fake pop-ups also come in the “Your software needs to be updated to view this website” variety. The most common variant of this is Adobe Flash. Again, close all windows, manually relaunch a web browser and visit the software manufacturer’s website to find out if an update is available for your software.
Still unsure? Note the website URL that triggered the questionable pop-up, take a screenshot if you can, and call your IT professional for further advice.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
If you thought you were the only one still using Windows XP, you are still in good company despite Microsoft’s widely publicized plan to end official support for the operating system in April of this year. NetMarketShare.com’s January 2014 report on installed desktop operating systems shows that an estimated 30% of the world’s computers are still using Windows XP, an operating system that is now approaching 13 years of age. NetMarketShare bases its statistics from metadata gathered by 40K websites around the world, so its also likely that this percentage may actually be slightly higher, as many XP machines are likely being used in legacy systems that do not require internet access to function.
In case you were wondering what that 30% equates to in actual numbers, there is an estimated 1.5 billion computers in use today. Based upon that number, it’s possible that several hundred million computers may continue to run an OS that will no longer get security updates from Microsoft, a number that has security analysts everywhere hyperventilating. Even though most anti-malware vendors will continue to provide support for XP, it will become increasingly difficult for them to remain effective on an OS for which Microsoft itself is abandoning.
What this means for you:
If you were thinking, “Well, this doesn’t impact me, I’m on Windows 7/8,” think again. Many cyberattacks are driven by zombified PC’s that have been gathered together into “Botnets” that can focus an incredible amount of processing power on anything they are rented to do, including sending out millions of phishing emails, spam and other nefarious activities. In the current state of desktop security, it’s commonly held wisdom that being targeted by a cyberattack is not a question of “if”, but of “when”. Cybercriminals rely on compromised resources to much of their dirty work, and their arsenal could become radically reinforced by the millions of computers still running XP, especially now that it will no longer be patched by Microsoft after April. If you are still operating PC’s with Windows XP, you should seriously consider upgrading those systems to a more modern OS if possible, and if an upgrade isn’t possible, replace them ASAP, as they will become an increasing liability for your organization.
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
Password manager app maker SplashData released it’s annual report on the worst passwords of the year, and despite all the hype cybercrime is getting even in mainstream media, it seems that many, many people still don’t take passwords seriously. For better or worse, passwords are one of the few security measures we have in technology that stands between us and the cyber outlaws, but passwords like “123456” – the most popular password of 2013 – are the equivalent of painting a big red target on yourself. “123456” unseated the defending, 2-year champ “password” which fell to second place.
What this means for you:
Unless you have a better means of security such as biometric scanners or 2-factor devices, passwords are a fact of digital life, and if you value anything of your digital life, you should use a strong password and not something that is easy to type. It doesn’t matter that you use strong passwords where it matters – security is only as strong as the weakest password, and just like water, hackers will take advantage of any weak spot to flood into your life. If anything, read through this list of bad passwords and use them as a guide of how NOT to secure your technology. Better yet, make sure your favorite password isn’t on that list, because it will only be a matter of time before you find yourself (and possibly others around you) compromised.
Curious about how strong your password is? Be careful of visiting just any “password strength meter” website – double check the domain, and look for someone you trust. Here are two reputable sites. If you’ve been paying attention, you already know to roll-over and check where these links lead before clicking on them:
Microsoft’s Password Strength Checker
Intel’s Password Strength Checker
Password Strength Testing Tool | Bitwarden
How Secure Is My Password? | Password Strength Checker (security.org)
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Though it sounds crazy to hear it, I’m pretty sure I’m not the only technology professional who wishes computer security was as easy as flipping a switch. Fixing broken technology is a major part of how I make a living, and nothing breaks technology like security breaches. In fact, I don’t want anyone to get infected, hacked or for their data to get corrupted, just like doctors don’t want to see their patients get sick. In keeping with the medical metaphor, there are technology guidelines and practices that can act as preventative medicine for your technology lifestyle. Here are ten suggestions that I hope you will resolve to follow to keep your technology streamlining and not derailing your path to success.
- Put a password or pin on your smartphone. This bears repeating over and over. I know it’s inconvenient, but think of how inconvenient it will be if someone got ahold of your unsecured smartphone and used it to access your private information, or worse, your clients’ information.
- Encrypt your mobile devices and thumb drives. If your device happens to fall into unknown hands, encryption provides a layer of protection that will discourage casual data thieves. In the case of certain smart devices, it may even give you time to remotely wipe and deactivate the device. Certain types of data (especially confidential client or customer information) should always be stored with strong encryption.
- Open attachments and links from emails with extreme caution. The most common vector of infection is via email, either by opening attachments or clicking links to compromised websites. Even if the email comes from someone you know, pay close attention to every aspect of the email for hints that it may be a fake, and if you are at all uncertain, pick up the phone or delete it and ask the sender to resend the email.
- Check your anti-malware software regularly. I know plenty of people who know they have anti-virus installed, but don’t know the name of the product, whether or not it’s up to date, or even if it’s working. Check your antimalware at least once a week to make sure it’s updating and if it’s caught anything recently.
- Don’t allow unsupervised, non-professional use of your computer. Originally, this rule was about keeping work and personal use completely separate, but I realize that is near impossible these days, so I amended it to focus on a potentially dangerous aspect of computing, which is allowing less security-conscious individuals access to the devices you use for business. If you wouldn’t trust this person with your business, don’t grant them unfettered access to your business devices.
- Back up your data. Viruses, thefts and hard drive crashes happen. Like death and taxes, hard drive crashes are inevitable, and it will fail when you can least afford it to fail. Unlike the first two, countering the negative consequences are handled by a simple process.
- Ensure confidential customer/client data is stored securely. If you are in a regulated industry, you are more likely to understand why this is important. But if your business services clients who are part of a regulated industry, you might be held to the same standards of security as your clients. Know what data you are storing, know where you are storing it, and how you are storing it.
- Familiarize yourself with the privacy policies of any social networking platforms you use. Even if you’ve managed to avoid the big names in social media (Facebook, LinkedIn, G+, Twitter, etc.), any community you participate in that has a digital component should have a clearly stated privacy policy that governs how your personal information will be used by that organization or platform. Don’t be surprised if you’ve inadvertently relinquished much more control and/or privacy than planned over information and the content you author on that platform.
- Make sure you have a proper firewall anywhere you use the internet. For the moment, you should consider the internet a wonderful AND dangerous place. Your office probably has a firewall in place (check anyways if you are the least bit unsure), but make sure you have a proper firewall working at home, AND on your desktop or laptop (where practical/allowed by corporate policy). Yes, they can be a bother sometimes, but weigh the inconvenience against a data breach, virus infection and uncomfortable client conversations about losing their data.
- Practice constant vigilance, and encourage it in everyone around you. You may be always on your toes, but you are more likely to let down your guard when interacting with co-workers, friends and family. The more you educate them about the above practices, the safer they will be, and you will improve your odds of keeping your own technology safe.
As in just about every facet of normal life, there are no guarantees, and no magical security switches to flip on and forget, but taking the above ten practices to heart can better prepare you for rougher aspects of technology and the internet. It also helps to have a guide while you are navigating the twisting paths of technology, and you should always consider C2 Technology ready to help you find your way to success with technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net











