Over the years since the internet has come to dominate the technology and business landscape, I’ve often compared the growing tide of malware and general bad behavior found online to pollution. Like its physical manifestation, the source of internet pollution can’t be tied to a single cause or factor or even several of them. The rising tide of malware, spam, cybercrime, and even fake news is caused by a relatively small group of ignorant, mercenary or even outright malicious agents, but because of the way the internet works, there are few practical ways to stop it from spreading everywhere. If you imagine that the internet is the ocean, this stuff is a gigantic oil spill, illegal toxic waste dump and six-pack rings spreading everywhere.
And your website is soaking in it.
Most of us access the internet like we tap our water supply – through (more or less) filtered pipes connected to the main source. Just like I wouldn’t recommend drinking your water straight out of a lake or stream without some filtering, accessing the internet without proper protections is asking for a nasty infection. But have you considered the chilling fact that your website is out there, right now, braving the internet without a hazmat suit? According to at least one internet security company, over half of all website traffic is generated by bots, and more than half of that traffic is malicious. More importantly, they found that for the smallest, least trafficked websites (0-10 human visitors per day) had the highest percentage of non-human traffic, and because they were less visible and more likely to be unattended, they were more likely to be attacked and successfully compromised. Does that sound like a website you know? Maybe your own website? On average, C2’s webserver is attacked several hundred times a day, and, let’s face it, compared to the rest of the web, we’re at the very low-end of the traffic scale.
As to why anyone would attack a site that isn’t visited that much? A compromised website has many uses, many of which actually require that attention not be drawn to the compromised activities occurring on your very own internet island. This allows the attackers to leverage your site’s computing and broadcasting power (however small), essentially drafting it into a massive mesh of zombified soldiers that aren’t limited by a workplace or home firewall. And there are a ton of low-traffic websites. It’s the internet-version of the age-old question of, “Which would you rather fight?” One massive, infected website, or a million tiny, but infected, websites?
Unless you are a skilled website administrator, securing your site isn’t trivial. Definitely leave it to the professionals, but don’t leave it undone. Your website is floating in polluted waters, and unless you take necessary precautions, your little bit of internet paradise might end up looking like the picture attached.
Image courtesy of Sujin Jetkasettakorn from FreeDigitalPhotos.net
In 1993, The New Yorker magazine published the cartoon “On the Internet, Nobody Knows You’re a Dog” by artist Peter Steiner. More than two decades later, this simple illustration continues to highlight the double-edged sword that is the internet’s ability to widely spread information effortlessly. This is a powerful force multiplier for both good and evil, even more so if the information is wrong, or worse, deliberately misleading with no way to hold anyone accountable for the malicious activity. A few years back I wrote about how easy it was to misinform “the public” resulting in adverse consequences, a trend that seemingly culminated into a highly effective political strategy of deliberately spreading false or misleading stories on Facebook and other social media platforms. Unfortunately, fake news purveyors are upping their game and have now descended to building counterfeit websites that ape actual, legitimate news organizations, hoping to further obfuscate research into an article’s legitimacy now that social media news readers have become a little more savvy.
How does an average citizen tell the real from the fake?
As you might have already noticed, conning someone via the internet has become increasingly more likely and common. Where before we could roll our eyes at obvious spam emails filled with broken English and ridiculous schemes, our mailboxes and social media accounts are flooded with well-funded and cleverly disguised content that appears legitimate, and because no one has the time investigate every single thing we receive, we take the most expedient path to discovery – we click and consume without engaging some critical reasoning, the internet equivalent of finding out if milk is bad by taking a swig before giving it the sniff test. Unfortunately for us, clicking a bad link or passing along a fake news story will result in way worse consequences than a mouthful of sour milk. Dealing with bad milk is easy – toss that carton in the trash – but how do you hold accountable someone (who might or might not be a figurative dog) on the internet?
All hope is not lost. While it may be misleading to fear that anyone can remain completely anonymous on the internet, it’s actually still difficult to accomplish this. Maybe less so when you have the backing of a nation-state and an army of hackers whose full-time job is to cause disruption through fake news, but the tool they use, the internet, still sees and tracks everything, and spreads the truth just as freely and quickly as the false information. For now it will be a competition to see who can spread information more effectively, and the only way good prevails if we the audience engage our brains to the fullest whenever we take a dip in the currently muddy waters of the internet.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It had all the trappings of a Hollywood blockbuster: a massive data breach, hackers hired by Russian spies, and a secret operation that went on for years undetected. Except for one rather pedestrian and crucial element. According to indictments handed down by the US Federal Bureau of Investigation, the hackers penetrated Yahoo’s security not through some sophisticated cyber-tango of caffeine-fueled hacker artistry. There weren’t any high-tech micro computers covertly implanted into neon-lit server racks following a series of cleverly choreographed hi-jinks. No, the largest single leak of Personally Identifying Information was enabled by a Yahoo employee falling for a spear phishing attack.
Here comes the email security soapbox again!
What’s a spear phishing attack and what makes it different from the rest of the spam you get in your email? Typical spam and phishing emails are sent to as many people as possible in the hopes that a small percentage will click the link or open the attachment, whereas spear phishing is designed to target a very specific audience or even a particular individual. They are typically several levels more sophisticated than the usual garbage clogging our email as the content is custom-tailored to appear believable to the target. While I’m sure many of you are scratching your heads at how a single click on a fake email could lead to the largest breach in history against a storied dot-com darling, keep in mind that in the ongoing plate-spinning war of internet security, the good guys only win if they can keep all the plates spinning, and the bad guys win if even a single plate falls.
There are many lessons to be learned from this incident, but perhaps the most important one of all still remains: all security systems are only as strong as the weakest link, and many times that weakest link is a human. Given enough resources, time and determination, any security system can be hacked, and any company or organization can be breached. What’s a business owner to do in light of a seemingly unstoppable force? Just like preparing for two other famously unavoidable eventualities, planning for security breach will prepare you to react properly and deliberately rather than a mad scramble for recovery. Not sure how to get started? Pick up the phone and let C2 give you a leg up on getting ready.
Remember when there was nothing more innocent and incorruptible as a child’s teddy bear? For all the potential good the internet can bring, there are some things that should just not get connected, at least until we can secure data properly. The latest black eye for the “Internet of Things” (IoT) comes in the form of a line of stuffed animals that can record and relay messages back and forth between parent and child. While wholesome and lovely in theory, the whole implementation is undermined by poor security and what appears to be a non-trivial amount of carelessness, all the ingredients for a disastrous internet breach. Reports vary, but anywhere from 500k-800k “users” data was exposed to an unknowable number of unauthorized eyes. This data included both identifying information as well as the actual voice messages from both adults and children.
What this means for you:
If you happened to be the (no longer) proud owner of a CloudPet, you have the unenviable responsibility of trying to explain to your child why they can’t use the thing that made this toy special. Hopefully it won’t be traumatizing. While you may be able to enjoy some schadenfreude from the possibility that the company appears well on it’s way to failure, this also means that there will be no recourse or recompense for saddling you with a toy that violated your family’s privacy. Not a CloudPet user? Regardless if you are a parent, relative or even just a friend, think twice before giving a small child an internet-connected toy. Very clearly, we, and the internet, are not ready for such a thing.
One month ago we wrote about a wave of attacks powered by compromised security appliances – mostly Asian-manufactured network video recorders – that disabled popular internet services for several days in late October. Despite the growing awareness of the problem due to this incident, this infected segment of the Internet of Things (IoT) is still active and wreaking havoc on a new front. Security researchers are reporting active attacks on routers used primarily by ISP’s Deutsche Telekom (Germany) and Eircom (Ireland) to service their internet customers. The attacks, powered by a new variant of the Mirai malware that was behind the previous IoT attacks in October, exploit a recently discovered weakness in Zyxel and Speedport routers, and a remote management protocol known as TR-069 which ISP’s traditionally use to manage equipment distributed to their customers. According to Deutsche Telekom, nearly one million of their customers may be affected by this exploit, and security researchers have cause to believe that over 40 million devices on the internet may be vulnerable to exploits of TR-069.
What this means for you:
Data is still being gathered on how widespread this problem may be, so it’s not immediately clear if anyone here in the States is directly impacted by this particular exploit. I can guarantee that if we aren’t affected by this one, there are probably several others we haven’t yet discovered. One of the great conundrums tech service providers (like C2) face is that we must rely on the internet to provide support to our clients, and in doing so have to make devices like routers “visible” on the internet, which in turn opens them to attack. As is typically the advice in the face of unknown threats, preparation is your best defense: change default passwords to strong, unique ones. Shield critical devices from the internet where possible through isolation, control and firewalls, and most importantly, understand and document what devices in your organization have contact with the internet so that when an attack does surface, we can quickly root out the source and hopefully prevent further damage. We are to the point now that a malware infection is a certainty in almost any environment, and the difference comes from how well prepared you are to recover from it.
It’s one of the oldest cons in the book: convincing a mark that they’re sick and then selling them a handy cure for the low, low price of “You just got ripped off.” Despite this sort of scam being perpetrated on the internet for years now, it’s still bamboozling lots of people, according to a recent court case brought by the FTC against a US-based company that has tricked computer users into purchasing millions in fake technical support to “fix” their computers. The scammers find their “marks” via fake pop-ups warning users that their computers are infected or performing poorly and provide a prominent phone number to call to receive tech support from a “certified” Microsoft or Apple partner (of which they are most definitely not). Once the victim calls, they are essentially tricked into believing they actually need support through carefully crafted application of legitimate tools and deceitful interpretation of events and warnings that are commonplace and not necessarily indicative of an actual problem. Once the scammers get your credit card or bank account info and get paid, they will deliver the service in the form of tech support “theatrics” which is more than likely just a script that looks impressive, but doesn’t actually do anything or might even damage your computer further. It’s also highly likely your payment info gets sold on the black market for additional profit.
Spread the word:
Clients of C2 Technology are typically savvy enough to spot this con a mile away, or at a minimum, have developed a healthy sense of skepticism to pick up the phone and call for a second opinion from someone they know and trust. It may not occur to you that, as a tech-savvy professional, you might actually be that trusted advisor for your family, friends and colleagues. Even if you don’t feel like a tech expert, you know enough to warn the people around you about these sort of scams, and you definitely know an expert who is always willing to take their call. At minimum, you should foster a healthy skepticism in the more naive or gullible loved ones, especially the ones that always seem to fall for the most obvious scams. This isn’t just for their benefit, it serves you as well. The more people around you who stay safe, the less likely you are to get infected. Thanksgiving dinners are a lot more enjoyable when you don’t have an family-spread malware infection on the table.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
The good ship Yahoo is still battling troubled waters on its journey to the safe harbor of a Verizon purchase. Reuters has just released a massive bombshell that may blockade if not outright scuttle the $4.8bln deal: two former employees of the beleagured media company have alleged that Yahoo complied with a classified directive from a government agency to directly surveil the millions of email accounts hosted by Yahoo in 2015. According to the Reuter sources, the decision to open Yahoo Mail’s kimono was made behind closed doors, excluding Yahoo’s then Chief Information Security Officer, who apparently resigned because of this incident.
Whiskey Tango Foxtrot, Yahoo?
Normally, I don’t urge folks to get out the pitchforks and torches, but on reading this I actually used language not normally heard in polite company. Thus far the government agencies named are declining comment. If the allegation proves accurate, I’d say Yahoo customers had their Fourth Amendment rights violated and thoroughly trod upon any trust they might have had left with their still substantial customer base. Coupled with the recent massive breach they experienced in 2014 and the debacle that was their conversion to a new email platform in 2013, it’s no wonder Yahoo has gone from an Internet powerhouse to second-tier media company up for sale. If you are still using Yahoo as a primary email provider for work, you should stop doing so immediately, not only for security issues that they can’t seem to get ahead of, but now for serious breaches of privacy and trust.
You know the general public is suffering from security fatigue when something as big as the Dropbox breach appears in the news, and almost as quickly, disappears. In case you blinked, online magazine Vice.com broke the news last week that a database recently surfaced which contains over 60 million Dropbox.com user accounts (email addresses) and hashed passwords. Almost immediately following this news, Dropbox itself issued an email warning to its users that it was resetting passwords of users who might have been impacted by a 2012 breach. Breach notification site HaveIBeenPwned.com also corroborated the reports that the account information found in the database does contain valid usernames and encrypted passwords.
What this means for you:
Even though breach data may be years old it can still be valuable, especially if the passwords are stored with weak, easy-to-crack encryption. In the case of the Dropbox breach, approximately half of the passwords are strongly encrypted, and are unlikely to be decoded, and the other half stored in a slightly weaker, but still formidable encryption method. As proof of their continued value, many databases from breaches as far back as 2012 and earlier as still actively traded and sold in the digital blackmarket, and as technology continues to advance, you can bet that even strongly encrypted databases will eventually be cracked. If your account and password only showed up in the Dropbox.com breach, you could consider your password relatively safe (change it anyways!) for now, but if you used it elsewhere, and that account was exposed in another breach, like the LinkedIn.com breach that happened in the same year, and you used the same password as you did for Dropbox, your security is considerably more compromised. Multiply that exposure for every other breach you were a part of and used the same password again, and we can’t even account for the breaches that haven’t yet been publicized!
Long story short: check HaveIBeenPwned.com, change your passwords, and don’t reuse passwords!
Get ready for 1000% of your daily dose of Irony: America’s top surveillance outfit, the National Security Agency appears to have been hacked, according to announcements made by a group known as the “Shadow Brokers” and backed by a sample of data released as proof. Not only that, it may have happened as early as 2013, just days after NSA whistleblower Snowden went public. The spy agency has yet to comment on the matter, though given their usual taciturn stance on sharing information with the public, further enlightenment is unlikely to come from that source. Snowden himself weighed in on the issue shortly after this news became public, attributing the original hack as likely being the Russian government. In a further dose of irony, Snowden currently resides in Russia, presumably as part American exile and part Russian political trophy.
What this means for you:
Before you grab your bug-out bag and head for your internet-proof bunker, make sure you freak out for the right reasons. In this particular instance, the data for sale appears to be code, and not data on Americans (which they are assuredly collecting). Offered as proof of the deed, the Shadow Brokers posted source code of known malware apps the NSA is alleged (by Snowden and others) to have used to break firewalls and other security platforms in use by foreign nations, presumably to allow the install of other covert surveillance software on the computers behind those security measures. Security pundits, including industry vet Bruce Scheier, have evaluated the data released, and in light of the the current political climate between the US and Russia, are of the opinion that this might be a manuever by the Russian government in anticipation of criticism or accusations from the US about the DNC hacks. To put it in more understandable terms, we may be seeing the opening salvos in a new, thoroughly modern Cold War. Instead of warheads and undercover spies as pawns, this one may be waged via the internet through cyber warfare and social media. Ready to head to that bunker yet?










