On October 26 of last week, a number of popular, “cloud-based” services suffered multi-hour interruptions. Among the outages was Google’s App Engine, a platform that is used by thousands of other websites and internet platforms including one of my favorites, Passpack.com. Some of your favorites may have been impacted as well: Dropbox, Tumblr and even YouTube were affected. For many, this was a non-event, particularly those who operate and compute within enterprise-based platforms, or rely solely on the desktop and storage of their own computers. C2 Technology relies heavily on cloud-based services, primarily Google products, for our core information systems, and I use Passpack to track the multitude of passwords I need to do my work. So when those outages hit on the 26th, I found myself unable to access the keys to my various digital kingdoms, and felt very much like someone who finds themselves locked out of their car, and at the mercy of another person’s timetable. In this particular case, Passpack.com wasn’t even to blame, as their own reliance on Google’s App Engine service hamstrung their ability to deliver service to their customers, and the fine engineers at Google themselves were struggling with the outage. Everyone’s brand took a hit, and yet there was no one any one of us could blame for the outage – not even a radical hackivist group looking to ruin someone’s day for political currency.
What this means for you:
Very simply, “Never put all your eggs into one basket.” This homily, however pastoral-seeming, still very much applies to how you should use technology, especially when it comes to your core business processes. As an illustration of how this can be bad: I was using Passpack to store my Gmail password, which was complicated and impossible to remember, and instead relying on a complicated, but easier-to-remember passphrase to access Passpack to retrieve that password whenever I needed it. When Passpack went down, so did my ability to access Gmail and all of my client contact information. The lesson to take away from this: if you are going to store critical information online, have a back-up plan for continuing to operate without access to that information. Either back-it up locally (fraught with its own set of risks), or compartmentalize parts of your operations so that they aren’t heavily reliant on a single service provider, or the presence of the internet.
Image courtesy of “vichie81” / FreeDigitalPhotos.net
Now that the public’s overall awareness of phishing is much greater, getting people to click phony links in an email isn’t as easy as it used to be. However, phishers, now motivated (and possibly funded) by organized criminal elements, are investing more time in actually fooling people, producing very authentic-looking emails intended for audiences with accounts worth compromising, such as the ones that control payroll or bank accounts for small companies. A recent phishing campaign dissected by Webroot details a focused targeting of Intuit’s popular Quickbooks platform. Using a combination of scare tactics, actual Intuit branding and realistic-sounding text, actual Quickbooks users may be lulled into a false sense of security and click through to malware-laden sites which quickly compromise their computers.
What this means for you:
Whenever you receive a request from a known service provider via email, always, ALWAYS! check the integrity of the links they ask you to click, especially if the communication wasn’t expected. How do you check the links in an email? Read my previous post “Ransomware Virus Targets Skype Users” for details on how to check if the links are valid. Even if the email seems to be legitimate, skip clicking the links altogether and go straight the the website in question by typing in the URL yourself, or pick up the phone to call the company. Your computer and financial security are worth a few more minutes and keystrokes!
Security analysts are uncovering a troubling rise in sophistication and cunning in targeted phishing attempts – also known as “spear phishing” – where attackers are actually adapting their tactics to exploit weaknesses revealed in common business worker behavior. Most obvious and easy to exploit is the fact that many businesses “shut down” on Fridays, and most workers, including corporate IT, disengage from the job and stop reading emails. Attackers savvy to this behavior trend send out the usual phishing emails with URL’s that are actually clean at the time of delivery, allowing them to arrive in user inboxes unmolested by corporate malware detection platforms. The attacker bides his time and waits to compromise the websites that were linked in the phishing emails until the last moment, say early Monday morning, hopefully just before users start to read the email that arrived over the weekend. Because the email managed to make it past corporate filters, the user wrongly assumes it’s safe, clicks the URL and his or her computer is then compromised through the usual malware attacks.
What this means for you:
Phishing emails are becoming increasingly harder to distinguish from the real thing, and it takes a trained eye to spot the best fakes. The most common phishing tactics are to email you about the following:
- Your account has been accessed by a third party
- (Bank Name) Internet Banking Customer Service Message
- Security Measures
- Verify your activity
- Account security Notification
When you receive an email like the above, and it appears to have come from a company or institution with which you work, examine the source of the email carefully to make sure the links actually go where they say they go. (See our previous news item Ransomware Targets Skype Users for more tips on how to tell if an email is legitimate or not.) If there’s any doubt at all, don’t use the links provided, but type them in or use a bookmark you created to ensure you are going to the proper website, or call a known, publicly-available phone number for the company to verify the request with a real human.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net
In a House Intelligence committee report released on Monday, Oct 8, 2012, US lawmakers cite security concerns with Chinese electronics manufacturing firms Huawei and ZTE. Though neither could be considered a brand recognizable in the US, both firms manufacture electronics that are used to power telecommunication devices all over the world. Though no overt wrongdoing was detected in the 9-month investigation, the report notes that the firms refused to fully cooperate with the investigation. The Chinese government is known to have a heavy hand in directing operations and even strategy for Chinese businesses, mostly to ensure tight control over national security, so it’s no wonder investigators may have encountered resistance from the companies.
What this means for you:
Independent, industry-led investigations have not found any evidence that equipment utilizing parts manufactured by either company have purposefully included security defects or “backdoors” that may have been mandated by the Chinese government as a possible means to infiltrate other countries’ data networks, though vulnerabilities have been found in older Huawei routers. Similar defects have been found in Cisco routers (an American company) which lends credence that the vulnerabilities were not state-sponsored “backdoors”, but instead a product of ongoing security research and development. The intelligence report seems to be more politically minded as opposed to highlighting a clear and present danger, focusing on “what-if” scenarios given China’s heavy-handed government, and fails to note that Chinese (or any other nationality) hackers don’t need an easy-to-detect backdoor to hack American business interests.
Several prominent multinational banks suffered website and online banking service disruptions over the previous two weeks as the result of focused and highly sophisticated cyber attacks. Apparently led by Middle-Eastern “Hackivists” groups in response to the “Innocence of Muslims” YouTube video controversy, researchers have indicated that unlike attacks seen in previous years, this series of attacks were well planned, highly organized and of sufficient force to have even taken down hardened and secure telecom companies who are well-versed in handling the Denial of Service attacks that are typically experienced. In these most recent attacks, the hacktivists used zombified user PC’s as well as thousands of compromised webservers to shut down bank websites for hours, and sometimes days at a time.
What this means for you:
Zombified PC’s are no good to their handlers if they are detected and sanitized before they can be “rented” out, and as such, the most effective malware infection is often one that exists quietly on your technology until it is called into service. Obviously, this could result in your computers or servers, previously well-behaved and performing normally, suddenly acting up and running slowly, usually at the most inconvenient time for you and your business. Always make sure your anti-malware software is installed, updated and working properly.
Keep in mind that it’s even possible for website engines to become compromised and used as a zombie. Unless you tend to your site regularly, it’s possible for it to become compromised without you even noticing – that is until a customer visits your website, notices something wrong, and takes the time to report it to you instead of moving on to something else. Not sure if your computers or servers are secure? Give C2 a call and let us put your mind (and business) at ease!
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
The state of California just signed into law a ban on employers and universities requiring employees and applicants grant them access to their social media accounts (e.g. Facebook or Twitter). As surprising as this may seem, this was actually a thing for awhile. That is, until the internet started a ferocious publicity storm and names were named. Even still, the practice has been common enough to galvanize California lawmakers to take matters into their own hands and pass a law that in effect orders companies and universities to stop being so creepy.
What this means for you:
As of January 1, 2013, it will be illegal for you to ask your employees or applicants for access to their personal social media accounts, which will include things like Facebook, Twitter, MySpace, etc. Keep in mind, many people already openly share many aspects of their personal life (sometimes unintentionally!). As an applicant, even before it becomes an actual law, don’t let an institution or organization bully/intimidate you into this degrading invasion of your privacy.
As a business owner, employer or educator, this area is still very grey, and proper legislation is far from being clearly defined, especially as the boundaries between employees’ professional and personal lives are blurred by increasingly permissive/flexible business cultures. Remember the days when Facebook was banned at the office? Aside from the fears about wasted productivity, there were (and still are) very valid underlying concerns of mixing personal (and possibly very unprofessional) activities with business/educational pursuits. If in doubt, ask your HR representative, and check your conscience.
Threatpost has reported on a new zero-day vulnerability that is affecting the Oracle Java plugin used in all popular web browsers, and this time, all operating systems, including Apple’s OS X which is typically excluded from most security exploits. So far, the white hats are ahead of the game on this one, having detected and then demonstrated the hack to Oracle in a “proof of concept” as opposed to discovering malware in the wild exploiting the security hole. In case you missed it, Oracle experienced a similar situation not less than a month ago with Java 7, so it’s likely there are more holes waiting to be discovered.
What this means for you:
This is a fairly significant vulnerability according to the folks that discovered it, as it affects multiple version of Java, including the most recent version 7 release, and multiple operating systems. However, it does not appear to be widely exploited yet, giving Oracle time to patch it up before malware writers can disperse malware to take advantage of this hole. According to Oracle, Java is in use on billions of devices, so if they were to ignore this vulnerability, there could be serious repercussions. If Oracle drags its feet on releasing a patch, you may want to consider disabling the Java plugin in your browser, or uninstalling it altogether. Before you do that, make sure you don’t rely on Java for any critical business applications – you may be surprised to find out just how often you use Java without knowing it!
Either stop what you are doing and read this article from PC World, or mark it for later and keep reading this story, because this may be the most important thing you do this month.
Easily searchable personal information available on the web plus easy-to-guess passwords can lead to identity theft. Not worried about that? You should be. It’s a problem that won’t be going away anytime soon, and it won’t just affect your personal life – it can impact your business as well. Keep in mind that being targeted by a hacker versus getting infected by malware are two very different levels of danger. A direct hacking attempt is focused and presents a very clear threat to you, your loved ones and your business.
What this means for you:
Google yourself. Try various combinations of your name (including former names if appropriate). Now try your family members. Look for data that you might consider sensitive: age, birthdate, address, names of financial institutions, work or home addresses, and most importantly look for anything that you’ve used as a password. Don’t freak out! Google doesn’t know you that your dog’s name is your favorite password, but a clever hacker might figure it out just by guessing.
If you’ve sufficiently worried yourself, here’s what you need to do to harden your personal security profile:
- Use longer passwords (8 or more characters) that are not easily guessable. That means you need to stop using your Mom’s birthday, your cat’s name, etc. Mix it up with numbers and punctuation. Hackers can crack a 5-digit/letter password in a single hour just by brute force. If you want to be really safe, use a Passphrase.
- Don’t use the same password/passphrase on your important accounts, like Banks, email, data encryption, etc.
- Search your email (especially if it’s cloud-based like Gmail or Hotmail) for any emails that contain passwords, delete those emails immediately. Delete any emails that list account/login names for important accounts. Do this even if the information is no longer valid – hackers can use the info to make better guesses about active account names and passwords.
- Check your privacy settings for any social networking accounts you use (or have used in the past). If you don’t understand how they work, learn how they work or remove your account if you can’t/won’t take the time. This includes Facebook, G Plus, Pinterest, Yelp, etc. Anywhere you’ve typed in personal information about yourself may be a potential leak you didn’t know you needed to plug.
In the end, if you are able to make yourself even incrementally harder to hack than someone else, hackers are more likely to move on to easier targets. Obviously, if you need help hardening your personal or business security profile, don’t hesitate to give us a call!
Image: FreeDigitalPhotos.net
Bromium, a new startup by the same braintrust that founded Xen – a popular virtualization platform now owned by industry giant Citrix – is promising their new product, “vSentry” will return computer users to the heady days of pre-virus computing. The basic idea behind this product is basically a combination of virtualization and hardware/software compartmentalization that creates agents called “microvisors” that act as a disposable “mini-computer” that are fired up to do things like read email, surf the web, play games, etc. and are then discarded completely once you have finished with that task. Conceptually, if, during the course of that task, the microvisor was attacked and infected by malware, the malicious code would end up going nowhere in the end, as the agent was dismissed from use. Think of the microvisor as a pair of impermeable, disposable gloves, tossed into the waste bin after every use, without the landfill aftermath.
What this means for you:
Based upon what I could tell, the product is still in the very early stages, and not yet readily available to the average computer user. It’s nice to imagine an internet where you can open an email from a friend, click a strange attachment and not worry about utterly destroying your computer. Even with the best-in-industry anti-malware software installed on your computer, the weakest link is still the operator at the keyboard. Until this product becomes a reality, and gets installed on every computer, vigilance is still your best defense against the wild internet. Always make sure your anti-malware software is installed, updated and WORKING. Always back up your data, and make sure those back ups are good. And if you are ever in doubt about your computer’s security, give us a call!








![Java_Logo[1].png Java logo](https://c2techs.net/wp-content/uploads/2012/09/Java_Logo[1]-460x260_c.png)

![Br_twitter[1].png Bromium Logo](https://c2techs.net/wp-content/uploads/2012/09/Br_twitter[1]-460x260_c.png)