,

Watch out for threatening emails from Anonymous or Lizard Squad

The Federal Bureau of Investigation is warning about potential attacks from a hacking group called Lizard Squad. This information, released today, was labeled “TLP:Green” by the FBI and CERT, which means that it shouldn’t be publicly shared – but I am sharing it because this information was published on a publicly accessible blog run by the New York State Bar Association. I do not know why distribution of this information was restricted.

The FBI said:

Summary

An individual or group claiming to be “Anonymous” or “Lizard Squad” sent extortion emails to private-sector companies threatening to conduct distributed denial of service (DDoS) attacks on their network unless they received an identified amount of Bitcoin. No victims to date have reported DDoS activity as a penalty for non-payment.

Threat

In April and May 2017, at least six companies received emails claiming to be from “Anonymous” and “Lizard Squad” threatening their companies with DDoS attacks within 24 hours unless the company sent an identified amount of Bitcoin to the email sender. The email stated the demanded amount of Bitcoin would increase each day the amount went unpaid. No victims to date have reported DDoS activity as a penalty for nonpayment.

Reporting on schemes of this nature go back at least three years.

In 2016, a group identifying itself as “Lizard Squad” sent extortion demands to at least twenty businesses in the United Kingdom, threatening DDoS attacks if they were not paid five Bitcoins (as of 14 June, each Bitcoin was valued at 2,698 USD). No victims reported actual DDoS activity as a penalty for non-payment.

Between 2014 and 2015, a cyber extortion group known as “DDoS ‘4’ Bitcoin” (DD4BC) victimized hundreds of individuals and businesses globally. DD4BC would conduct an initial, demonstrative low-level DDoS attack on the victim company, followed by an

email message introducing themselves, demanding a ransom paid in Bitcoins, and threatening a higher level attack if the ransom was not paid within the stated time limit. While no significant disruption or DDoS activity was noted, it is probable companies paid the ransom to avoid the threat of DDoS activity.

Background

Lizard Squad is a hacking group known for their DDoS attacks primarily targeting gaming-related services. On 25 December 2014, Lizard Squad was responsible for taking down the Xbox Live and PlayStation networks. Lizard Squad also successfully conducted DDoS attacks on the UK’s National Crime Agency’s (NCA) website in 2015.

Anonymous is a hacking collective known for several significant DDoS attacks on government, religious, and corporate websites conducted for ideological reasons.

Recommendations

  • The FBI suggests precautionary measures to mitigate DDoS threats to include, but not limited to:
  • Have a DDoS mitigation strategy ready ahead of time.
  • Implement an incident response plan that includes DDoS mitigation and practice this plan before an actual incident occurs. This plan may involve external organizations such as your Internet Service Provider, technology companies that offer DDoS mitigation services, and law enforcement.
  • Ensure your plan includes the appropriate contacts within these external organizations. Test activating your incident response team and third party contacts.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Ensure upstream firewalls are in place to block incoming User Data Protocol (UDP) packets.
  • Ensure software or firmware updates are applied as soon as the device manufacturer releases them.

If you have received one of these demands:

  • Do not make the demand payment.
  • Retain the original emails with headers.
  • If applicable, maintain a timeline of the attack, recording all times and content of the attack.

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at email hidden; JavaScript is required. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at email hidden; JavaScript is required or (202) 324-3691.

With Petya, Malware Means Cyberwar

Petya may indicate the start of real cyberwar. This week’s newest ransomware attack is technically similar to the WannaCry (aka WannaCrypt) cyberattack. However, the intent, and the results, are quite different – one wants to make money, the other to destroy data.

Both Petya and WannaCry are the results of an exploitable flaw in many versions of Windows. Microsoft learned about the flaw after NSA data was stolen, and quickly issued an effective patch. However, many customers have not installed the patch, and therefore, their systems remained vulnerable. Making the situation more complicated, many of those Windows system used pirated versions of the operating system, which means that the system owners may not have been notified about the vulnerability and patch – and not all may have been able to install the patch in any case, because Microsoft verifies the license of Windows during upgrades.

Here’s what Microsoft says:

As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release signatures to detect and protect against the malware.

Based on our investigation, the malware was initially delivered via a Ukrainian company’s (M.E.doc) update service for their finance application, which is popular in Ukraine and Russia. Once the initial compromise took hold, the ransomware used multiple tools in its arsenal to spread across impacted networks. If unpatched, the malware uses vulnerabilities CVE-2017-0144 and CVE-2017-0145 to spread across networks. Microsoft released MS17-010 in March that addressed the vulnerabilities exploited by Petya. If that technique was not effective, the malware uses other methods like harvesting of credentials and traversing networks to infect other machines. (read the Microsoft Malware Protection Center analysis here for more details.)

The information from the Malware Protection Center goes into considerable technical detail. It’s  fascinating, and worth reading if you like that sort of thing (like I do).

Goodbye, Data

Analysts  believe that Petya is something new: This malware  pretends to be plain old ransomware that asks for $300 to unlock encrypted data – but is actually intended to steal passwords and destroy data. In other words, it’s a true weaponized cyberattack.

To quote TechCrunch:

Petya appears to have been modified specifically to make the encoding of user data irreversible by overwriting the master boot record. The attackers’ email address also appears to have been taken offline, preventing ransoms from being paid.

Says Krebs on Security:

Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.

Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.

Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.

“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

Kaspersky Labs agrees:

After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.

This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.

Different than WannaCry

Both Petya and WannaCry are the results of an exploitable flaw in many versions of Windows. Microsoft learned about the flaw after NSA data was stolen, and quickly issued an effective patch. However, many customers have not installed the patch, and therefore, their systems remained vulnerable. Making the situation more complicated, many of those Windows system used pirated versions of the operating system, which means that the system owners may not have been notified about the vulnerability and patch – and not all may have been able to install the patch in any case, because Microsoft verifies the license of Windows during upgrades.

Petya: A Test for Bigger Cyberwarfare?

There is considerable chatter that Petya is a test. It may be designed to see how well this specific malware distribution methodology works, with a nasty but limited malicious payload primary intended to harm Ukraine. It’s clear that the methodology works, and as long as administrators put off patching their servers, these sorts of attacks will succeed. The next one might be a lot nastier. First WannaCry, then Petya. What’s next?

, ,

Agylytyx is a silly name, let’s make fun of it

I am unapologetically mocking this company’s name. Agylytyx emailed me this press release today, and only the name captured my attention. Plus, their obvious love of the ™ symbol — even people they quote use the ™. Amazing!

Beyond that, I’ve never talked to the company or used its products, and have no opinion about them. (My guess is that it’s supposed to be pronounced as “Agil-lytics.”)

Agylytyx Announces Availability of New IOT Data Analysis Application

SUNNYVALE, Calif., June 30, 2017 /PRNewswire/ — Agylytyx, a leading cloud-based analytic software vendor, today announced a new platform for analyzing IoT data. The Agylytyx Generator™ IoT platform represents an application of the vendor’s novel Construct Library™ approach to the IoT marketplace. For the first time, companies can both explore their IoT data and make it actionable much more quickly than previously thought possible.

From PLC data streams archived as tags in traditional historians to time series data streaming from sensors attached to devices, the Agylytyx Generator™ aggregates and presents IoT data in a decision-ready format. The company’s unique Construct Library™ (“building block”) approach allows decision makers to create and explore aggregated data such as pressure, temperature, output productivity, worker status, waste removal, fuel consumption, heat transfer, conductivity, condensation or just about any “care abouts.” This data can be instantly explored visually at any level such as region, plant, line, work cell or even device. Best of all, the company’s approach eliminates the need to build charts or write queries.

One of the company’s long-time advisors, John West of Clean Tech Open, noticed the Agylytyx Generator™ potential from the outset. West’s wide angle on data analysis led him to stress the product’s broad applicability. West said “Even as the company was building the initial product, I advised the team that I thought there was strong applicability of the platform to operational data. The idea of applying Constructs to a received data set has broad usage. Their evolution of the Agylytyx Generator™ platform to IoT data is a very natural one.”

The company’s focus on industrial process data was the brainchild of one the company’s investors, Jim Smith. Jim is a chemical engineer with extensive experience working with plant floor data. Smith stated “I recognized the potential in the company’s approach for analyzing process data. Throughout the brainstorming process, we all gradually realized we were on to something groundbreaking.”

This unique approach to analytics attracted the attention of PrecyseTech, a pioneer of Industrial IoT (IIoT) Systems providing end-to-end management of high-value physical assets and personnel. Paul B. Silverman, the CEO of PrecyseTech, has had a longstanding relationship with the company. Silverman noted: “The ability of the Agylytyx Generator™ to address cloud-based IoT data analytic solutions is a good fit with PrecyseTech’s strategy. Agylytyx is working with the PrecyseTech team to develop our inPALMSM Solutions IoT applications, and we are working collaboratively to identify and develop IoT data opportunities targeting PrecyseTech’s clients. Our plans are to integrate the Agylytyx Generator™ within our inPALMSM Solutions product portfolio and also to offer users access to the Agylytyx Generator™ via subscription.”

Creating this IoT focus made the ideal use of the Agylytyx Generator™. Mark Chang, a data scientist for Agylytyx, noted: “All of our previous implementations – financial, entertainment, legal, customer service – had data models with common ‘units of measure’ – projects, media, timekeepers, support cases, etc. IoT data is dissimilar in that there is no common ‘unit of measure’ across devices. This dissimilarity is exactly what makes our Construct Library™ approach so useful to IoT data. The logical next step for us will be to apply machine learning and cluster inference to enable optimization of resource deployment and predictive analytics like predictive maintenance.”

About Agylytyx

Agylytyx provides cloud-based enterprise business analytic software. The company’s flagship product, the Agylytyx Generator™, frees up analyst time and results in better decision making across corporations. Agylytyx is based in Sunnyvale, California, and has locations in Philadelphia and Chicago, IL. For more information about Agylytyx visit www.agylytyx.com.

Sorry, spammers, but James Comey is no longer FBI Director

This is a generally unremarkable spam message except for the obvious. James Comey was fired as the Director of the FBI on May 9. That makes it unlikely that Mr. Comey can deliver the promised $1.2 million. Bummer.

The missing spaces are just the way they were in the message. I do like the comment about things being in the spam folder. Let’s blame the Internet Service Provider!!

If you get messages like this, delete them – don’t reply.

From: “JAMES B.COMEY”
Subject: Urgent Reply Needed For Your Payment
Reply-To: email hidden; JavaScript is required

FEDERAL BUREAU OF INVESTIGATIONS (F.B.I)
HEADQUARTERS WASHINGTON DC. JAMES B.COMEY
BUILDING 935 PENNSYLVANIA AVENUE,
NW WASHINGTON, D.C. 20535-0001
E-Mail: email hidden; JavaScript is required

Our Ref: FBI /0N8/CONTRACT NO.856.

Motto: Fidelity, Bravery, Integrity

Greetings My Dear

This is James B.Comey,the Director of the Federal Bureau of Investigation(FBI), I am here in Africa as an FBI/ United States delegate that have been delegated to investigate fraudsters who are in the business of swindling Foreigners that has transactions in Africa.

Please be informed that during our investigations we found out that there is a total amount of $1.2 Million that has been assigned in your name as the beneficiary but those fraudsters are busy swindling you without any hope of receiving your fund,these are the works of the people who needed to extort money from you in the name of this transfer,We have to inform you that we have arrested some men in respect of this delayed over due fund. I have a very limited time to stay in Africa here so I advise you urgently respond to this message .

These criminals will be caught unaware and I don’t want them to know this new development to avoid jeopardizing my investigation,you need to conceal anything that has to do with this exercise to enable me get all the necessary information required.

I shall be expecting your swift response as soon as you receive this email and notify me of any message or phone call you receive from those people for me to investigate on it before you make any contact with them.

In case if found this message in spam folder, it could be due to your Internet Service Provider, ISP. So kindly move to your inbox before replying. 

Regards.

JAMES B.COMEY
FEDERAL BUREAU OF INVESTIGATIONS (F.B.I)

,

It’s time for some butterfly color

, ,

Virtual Reality, Augmented Reality, Real Reality

Virtual reality and augmented reality are the darlings of the tech industry. Seemingly every company is interested, even though one of the most interested AR products, Google Glass, crashed and burned a few years ago.

What’s the difference?

  • Virtual reality (VR) is when you are totally immersed in a virtual world. You only see (and hear) what’s presented to you as part of that virtual world, generated by software and displayed in stereo goggles and headphones. The goggles can detect motion, and can let you move around in virtual world. Games and simulations take place in VR.
  • Augmented reality (AR) means visual overlays. You see the real world, with digital information superimposed on it. Google Glass was AR. So, too, are apps where you aim your smartphone’s camera at the sky, and the AR software overlays the constellations on top of the stars, and shows where Saturn is right now. AR also can guide a doctor to a blood clot, or an emergency worker away from a hot wire, or a game player to a Pokemon character in a local park.

Both AR and VR have been around for decades, although the technology has become smaller and less expensive. There are consumer-oriented devices, such as the Oculus, and many professional systems. Drivers for the success of AR and VR are more powerful computing devices (such as smartphones and game consoles), and advances in both high-resolution displays and motion sensors for goggles.

That doesn’t mean that AR/VR are the next Facebook or Instagram, though both those companies are looking at AR/VR. According to a study, “VR/AR Innovation Report,” presented by the UBM Game Network, VR’s biggest failures include a lack of subsidized hardware enterprise applications, and native VR experiences. The gear is too expensive, developers say, and manufacturers are perceived to have failed in marketing VR systems and software.

Keep that airsick bag handy

It’s well known that if the VR hardware doesn’t work exactly right. If image motion is not properly synchronized to head motion, many VR users experience nausea. That’s not good. To quote from the UBM study:

Notably, we saw that many still feel like VR’s greatest unsolved problem is the high risk of causing nausea and physical discomfort.

“The biggest issue is definitely the lack of available ‘simulator sickness’ mitigation techniques,” opined one respondent. “Since each VR application offers a unique user experience, no one mitigation technique can service all applications. Future designs must consider the medium/genre they are developing for and continue to investigate new mitigation techniques to ensure optimal user enjoyment.”

Lots of good applications

That doesn’t mean that VR and AR are worthless. Pokemon Go, which was a hit a few summers ago, demonstrated that AR can engage consumers without stereo goggles. Google Earth VR provides immersive mapping experiences.

The hardware is also moving forward. A startup in Helsinki, called Varjo, made a breakthrough in optimizing goggles for AR and VR. They are addressing the challenge that if you make the resolution low on the goggles so that you can refresh the image quickly, it doesn’t look realistic. But if you increase the resolution to match that of the human eye, it’s harder to drive the image seamlessly in real time.

Varjo’s answer is to see where the eye is looking – using a technology called gaze tracking – and seamlessly drive that part of the display in super-high resolution. Where you’re not looking? That can be at a lower resolution, to provide context. Varjo says they can shift the high-resolution spot as fast as you can move your eye – and by tracking the gaze on both eyes, they can see if you are looking at virtual objects “close” or “far away.” The result, Varjo claims, is a display that’s about 35x higher resolution than other commercial systems, without nausea.

Varjo is focusing on the professional marketing with headsets that will cost thousands (not hundreds) of dollars when they ship at the end of 2017. However, it shows the promise of realistic, affordable AR/VR technology. Augmented reality and virtual reality are becoming more real every day.

, ,

Just say No to Flash, CNN

CNN didn’t get the memo. After all the progress that’s been made to eliminate the requirement for using Adobe’s Flash player by so many streaming-media websites, CNNgo still requires the problematic plug-in, as you can see by the screen I saw just a few minutes ago.


Have you not heard of HTML5, oh, CNN programmers? Perhaps the techies at CNN should read “Why Adobe Flash is a Security Risk and Why Media Companies Still Use it.” After that, “Gone in a Flash: Top 10 Vulnerabilities Used by Exploit Kits.”

Yes, Adobe keeps patching Flash to make it less insecure. Lots and lots of patches, says the story “Patch Tuesday: Adobe Flash Player receives updates for 13 security issues,” publishing in January. That comes in the heels of 17 security flaws patched in December 2016.

And yes, there were more critical patches issued on June 13, 2017. Flash. Just say no. Goodbye, CNNgo, until you stop requiring that prospective customers utilize such a buggy, flawed media player.

And no, I didn’t enable the use of Flash. Guess I’ll never see what CNN wanted to show me. No great loss.

,

Gila Woodpecker on a hummingbird feeder

, ,

Varjo offers a new type of high-def VR/AR display tuned to the user’s eye motions

The folks at Varjo think they’re made a breakthrough in how goggles for virtual reality and augmented reality work. They are onto something.

Most VR/AR goggles have two displays, one for each eye, and they strive to drive those displays at the highest resolution possible. Their hardware and software takes into account that as the goggles move, the viewpoint has to move in a seamless way, without delay. If there’s delay, the “willing suspension of disbelief” required to make VR work fails, and in some cases, the user experiences nausea and disorientation. Not good.

The challenge come from making the display sufficiently high resolution to allow the user to make objects look photorealistic. That lets user manipulate virtual machine controls, operate flight simulators, read virtual text, and so-on. Most AR/VR systems try to make the display uniformly high resolution, so that no matter where the user looks, the resolution is there.

Varjo, based in Finland, has a different approach. They take advantage of the fact that the rods and cones in the human eye sees in high resolution in the spot that the eye’s fovea is pointing at – and much lower elsewhere. So while the whole display is capable of high resolution, Varjo uses fovea detectors to do “gaze tracking” to see what the user is looking at, and makes that area super high resolution. When the fovea moves to another spot, that area is almost instantly bumped up to super high resolution, while the original area is downgraded to a reduced resolution.

Sound simple? It’s not, and that’s why the initial Varjo technology will be targeted at professional applications, like doctors, computer-aided design workers, or remote instrument operators. Prototypes of the goggles will be available this year to software developers, and the first products should ship to customers at the end of 2018. The price of the goggles is said to be “thousands, not tens of thousands” of dollars, according to Urho Konttori, the company’s founder. We talked by phone; he was in the U.S. doing demos in San Francisco and New York, but unfortunately, I wasn’t able to attend one of them.

Now, Varjo isn’t the first to use gaze tracking technology to try to optimize the image. According to Konttori, other vendors use medium resolution where the eye is pointing, and low resolution elsewhere, just enough to establish context. By contrast, he says that Varjo uses super high resolution where the user looks, and high resolution elsewhere. Because each eye’s motion is tracked separately, the system can also tell when the user is looking at objects close to user (because the eyes are at a more converged angle) or farther away (the eyes are at a more parallel angle).

“In our prototype, wherever you are looking, that’s the center of the high resolution display,” he said. “The whole image looks to be in focus, no matter where you look. Even in our prototype, we can move the display projection ten times faster than the human eye.”

Konttori says that the effective resolution of the product, called 20/20, is 70 megapixels, updated in real time based on head motion and gaze tracking. That compares to fewer than 2 megapixels for Oculus, Vive, HoloLens and Magic Leap. (This graphic from Varjo compared their display to an unnamed competitor.) What’s more, he said the CPU/GPU power needed to drive this display isn’t huge. “The total pixel count is less than in a single 4K monitor. you need roughly 2x the GPU compared to a conventional VR set for the same scene.”

The current prototypes use two video connectors and two USB connectors. Konttori says that this will drop to one video connector and one USB connector shortly, so that the device can be driven by smaller professional-grade computers, such as a gaming laptop, though he expects most will be connected to workstations.

Konttori will be back in the U.S. later this year. I’m looking forward to getting my hands (and eyes) on a Varjo prototype. Will report back when I’ve actually seen it.

,

Hibiscus under the sprinkler

,

The good and bad of press relations – a view from four editors

What do PR people do right? What do they do wrong? Khali Henderson, a senior partner in BuzzTheory Strategies, recently interviewed me (and a few other technology editors) about “Things Editors Hate (and Like) About Your Press Relations.”

She started the story with,

I asked these veteran editors what they think about interfacing with business executives and/or their PR representatives in various ways – from press releases to pitches to interviews.

The results are a set of guidelines on what to do and, more importantly, what NOT to do when interfacing with media.

If you’re new to media relations, this advice will start you off on the right track.

Even if you’ve been around the press pool a lap or two, you may learn something new.

After that, Khali asked a number of practical questions, including:

  • When you receive a press release, what makes you most likely to follow up?
  • What makes you skip a press release and go to the next one?
  • When a company executive pitches you a story, what makes you take notice?
  • What makes you pass on a story pitch?
  • When you are reporting on a story, what are you looking for in a source?
  • What do you wish business executives and/or their PR representatives knew about your job?

Read and enjoy the story, and my answers to Khali’s questions!

,

Lordy, I hope there are tapes

I received this awesome tech spam message today from LaserVault. (It’s spam because it went to my company’s info@ address).

There’s only one thought: “Lordy, I hope there are backup tapes.”

Free White Paper: Is A Tape-Related Data Disaster In Your Future?

Is a tape-related data disaster in your future? It may be if you currently use tape for your backup and recovery.

This paper discusses the many risks you take by using tape and relying on it to keep your data safe in case of a disaster.

Read how you can better protect your data from the all too common dangers that threaten your business, and learn about using D2D technology, specifically tape emulation, instead of tape for iSeries, AIX, UNIX, and Windows.

This white paper should be required reading for anyone involved in overseeing their company’s tape backup operations.

Don’t be caught short when the need to recover your data is most critical. Download the free white paper now.

Ha ha ha ha ha. I slay me.

, ,

Running old software? It’s bad, unsafe, and insecure. Replace!

The WannaCry (WannaCrypt) malware attack spread through unpatched old software. Old software is the bane of the tech industry. Software vendors hate old software for many reasons. One, of course, is that the old software has vulnerabilities that must be patched. Another is that the support costs for older software keeps going and growing. Plus, of course, newer software has new features that can generate business. Meanwhile, of course, customers running old software aren’t generating much revenue.

Enterprises, too, hate old software. They don’t like the support costs, either, or the security vulnerabilities. However, there are huge costs in licensing and installing new software – which might require training users and IT staff, buying new hardware, updating templates, adjusting integrations, and so-on. Plus, old software has been tested and certified, and better the risk you know than the risk you don’t know. So, they keep using old software.

Think about a family that’s torn between keeping a paid-for 13-year-old car, like my 2004 BMW, instead of leasing a newer, safer, more reliable model. The decision about whether to upgrade or not upgrade is complicated. There’s no good answer, and in case of doubt, the best decision is to simply wait until next year’s budget.

However: What about a family that decides to go car-shopping after paying for a scary breakdown or an unexpectedly large repair bill? Similarly, companies are inspired to upgrade critical software after suffering a data breach or learning about irreparable vulnerabilities in the old code.

The call to action?

WannaCry might be that call to action for some organizations. Take Windows, for example – but let me be quick to stress that this issue isn’t entirely about Microsoft products. Smartphones running old versions of Android or Apple’s iOS, or old Mac laptops that can’t be moved to the latest edition of OS X, are just as vulnerable.

Okay, back to Windows and WannaCry. In its critical March 14, 2017, security update, Microsoft accurately identified a flaw in its Server Message Block (SMB) code that could be exploited; the flaw was disclosed in documents stolen by hackers from the U.S. security agencies. Given the massive severity of that flaw, Microsoft offered patches to old software including Windows Server 2008 and Windows Vista.

It’s important to note that customers who applied those patches were not affected by WannaCry. Microsoft fixed it. Many customers didn’t install the fix because they didn’t know about it, they couldn’t find the IT staff resources, or simply thought this vulnerability was no big deal. Well, some made the wrong bet, and paid for it.

Patches keep coming; they aren’t enough

This week, Microsoft blogged,

On May 12, 2017, the WannaCrypt ransomware served as an all too real example of the danger of cyber attacks to individuals and businesses globally.

In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations. To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows. Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.

The new patches go back even farther than those issued in March, covering Windows XP and Windows Server 2003. While Microsoft is to be complimented on released those patches, customers should not be complacent. It is dangerous for consumers or consumers to keep running Windows XP, or heaven forbid, Windows 95. It’s equally dangerous to run Windows 2003 at all; anything left on that platform should be migrated. The same is true of smartphones running old versions of Android or iOS, laptops or notebooks running old versions of Macintosh OS, or even old versions of Linux. In some cases, those systems may seem super-reliable – but they are not secure, and can’t be secured.

Unfortunately, upgrades to the latest operating system may require hardware updates (such as more memory) – or a complete replacement. That’s often the case with phones and notebooks, and even servers might require a forklift upgrade. That’s the price of security, however, Forget about the new features of new software; forget about the improved reliability or higher performance that comes along with new hardware. Old software simply can’t be secured. It must go. As my friend Jason Perlow wrote in mid-May, “If you’re still using Windows XP, you’re a menace to society.” He’s right. Get it done.

, , ,

Business advice for chief information security officers (CISOs)

An organization’s Chief Information Security Officer’s job isn’t ones and zeros. It’s not about unmasking cybercriminals. It’s about reducing risk for the organization, for enabling executives and line-of-business managers to innovate and compete safely and  securely. While the CISO is often seen as the person who loves to say “No,” in reality, the CISO wants to say “Yes” — the job, after all, is to make the company thrive.

Meanwhile, the CISO has a small staff, tight budget, and the need to demonstrate performance metrics and ROI. What’s it like in the real world? What are the biggest challenges? We asked two former CISOs (it’s hard to get current CISOs to speak on the record), both of whom worked in the trenches and now advise CISOs on a daily basis.

To Jack Miller, a huge challenge is the speed of decision-making in today’s hypercompetitive world. Miller, currently Executive in Residence at Norwest Venture Partners, conducts due diligence and provides expertise on companies in the cyber security space. Most recently he served as chief security strategy officer at ZitoVault Software, a startup focused on safeguarding the Internet of Things.

Before his time at ZitoVault, Miller was the head of information protection for Auto Club Enterprises. That’s the largest AAA conglomerate with 15 million members in 22 states. Previously, he served as the CISO of the 5th and 11th largest counties in the United States, and as a security executive for Pacific Life Insurance.

“Big decisions are made in the blink of an eye,” says Miller. “Executives know security is important, but don’t understand how any business change can introduce security risks to the environment. As a CISO, you try to get in front of those changes – but more often, you have to clean up the mess afterwards.”

Another CISO, Ed Amoroso, is frustrated by the business challenge of justifying a security ROI. Amoroso is the CEO of TAG Cyber LLC, which provides advanced cybersecurity training and consulting for global enterprise and U.S. Federal government CISO teams. Previously, he was Senior Vice President and Chief Security Officer for AT&T, and managed computer and network security for AT&T Bell Laboratories. Amoroso is also an Adjunct Professor of Computer Science at the Stevens Institute of Technology.

Amoroso explains, “Security is an invisible thing. I say that I’m going to spend money to prevent something bad from happening. After spending the money, I say, ta-da, look, I prevented that bad thing from happening. There’s no demonstration. There’s no way to prove that the investment actually prevented anything. It’s like putting a “This House is Guarded by a Security Company” sign in front of your house. Maybe a serial killer came up the street, saw the sign, and moved on. Maybe not. You can’t put in security and say, here’s what didn’t happen. If you ask, 10 out of 10 CISOs will say demonstrating ROI is a huge problem.”

Read more in my article for Global Banking & Finance Magazine, “Be Prepared to Get Fired! And Other Business Advice for CISOs.”

,

Streamlining the cybersecurity insurance application process

Have you ever suffered through the application process for cybersecurity insurance? You know that “suffered” is the right word because of a triple whammy.

  • First, the general risk factors involved in cybersecurity are constantly changing. Consider the rapid rise in ransomware, for example.
  • Second, it is extremely labor-intensive for businesses to document how “safe” they are, in terms of their security maturity, policies, practices and technology.
  • Third, it’s hard for insurers, the underwriters, and their actuaries, to feel confident that they truly understand how risky a potential customer can be — information and knowledge that’s required for quoting a policy that offers sufficient coverage at reasonable rates.

That is, of course, assuming that everyone is on the same page and agrees that cybersecurity insurance is important to consider for the organization. Is cybersecurity insurance a necessary evil for every company to consider? Or, is it only a viable option for a small few? That’s a topic for a separate conversation. For now, let’s assume that you’re applying for insurance.

From their part, insurance carriers aren’t equipped to go into your business and examine your IT infrastructure. They won’t examine firewall settings or audit your employee anti-phishing training materials. Instead, they rely upon your answers to questionnaires developed and interpreted by their own engineers. Unfortunately, those questionnaires may not get into the nuances, especially if you’re in a vertical where the risks are especially high, and so are the rewards for successful hackers.

According to InformationAge, 77% of ransomware appear in four industries. Those are business & professional services (28%), government (19%), healthcare (15%) and retail (15%). In 2016 and 2017, healthcare organizations like hospitals and medical practices were repeatedly hit by ransomware. Give that data to the actuaries, and they might look for those types of organizations to fill out even more questionnaires.

About those questionnaires? “Applications tend to have a lot of yes/no answers… so that doesn’t give the entire picture of what the IT framework actually looks like,” says Michelle Chia, Vice President, Zurich North America. She explained that an insurance company’s internal assessment engineers have to dig deeper to understand what is really going on: “They interview the more complex clients to get a robust picture of what the combination of processes and controls actually looks like and how secure the network and the IT infrastructure are.”

Read more in my latest for ITSP Magazine, “How to Streamline the Cybersecurity Insurance Process.”

,

Dragonfly, butterfly, bee

Everyone loves bugs — at least, everyone loves beautiful bugs. Right? Here are a few photographed in Phoenix over the past couple of days. The desert here is full of life, from insects to birds to reptiles to plants.

Sure, the temperatures may be hot. The forecast is for 117° F next week (47° C) but never forget, it’s a dry heat. I’d rather be in Phoenix at 117° than, say, Houston or Miami at 95°.

, , ,

A phone that takes pictures? Smartphone cameras turn 20 years old

Twenty years ago, my friend Philippe Kahn introduced the first camera-phone. You may know Philippe as the founder of Borland, and as an entrepreneur who has started many companies, and who has accomplished many things. He’s also a sailor, jazz musician, and, well, a fun guy to hang out with.

About camera phones: At first, I was a skeptic. Twenty years ago I was still shooting film, and then made the transition to digital SLR platforms. Today, I shoot with big Canon DSLRs for birding and general stuff, Leica digital rangefinders when want to be artistic, and with pocket-sized digital cameras when I travel. Yet most of my pictures, especially those posted to social media, come from the built-in camera in my smartphone.

Philippe has blogged about this special anniversary – which also marks the birth of his daughter Sophie. To excerpt from his post, The Creation of the Camera-Phone and Instant-Picture-Mail:

Twenty years ago on June 11th 1997, I shared instantly the first camera-phone photo of the birth of my daughter Sophie. Today she is a university student and over 2 trillion photos will be instantly shared this year alone. Every smartphone is a camera-phone. Here is how it all happened in 1997, when the web was only 4 years old and cellular phones were analog with ultra limited wireless bandwidth.

First step 1996/1997: Building the server service infrastructure: For a whole year before June 1997 I had been working on a web/notification system that was capable of uploading a picture and text annotations securely and reliably and sending link-backs through email notifications to a stored list on a server and allowing list members to comment.

Remember it was 1996/97, the web was very young and nothing like this existed. The server architecture that I had designed and deployed is in general the blueprint for all social media today: Store once, broadcast notifications and let people link back on demand and comment. That’s how Instagram, Twitter, Facebook, LinkedIn and many others are function. In 1997 this architecture was key to scalability because bandwidth was limited and it was prohibitive, for example, to send the same picture to 500 friends. Today the same architecture is essential because while there is bandwidth, we are working with millions of views and potential viral phenomena. Therefore the same smart “frugal architecture” makes sense. I called this “Instant-Picture-Mail” at the time.

He adds:

What about other claims of inventions: Many companies put photo-sensors in phones or wireless modules in cameras, including Kodak, Polaroid, Motorola. None of them understood that the success of the camera-phone is all about instantly sharing pictures with the cloud-based Instant-Picture-Mail software/server/service-infrastructure. In fact, it’s even amusing to think that none of these projects was interesting enough that anyone has kept shared pictures. You’d think that if you’d created something new and exciting like the camera-phone you’d share a picture or two or at least keep some!

Read more about the fascinating story here — he goes into a lot of technical detail. Thank you, Philippe, for your amazing invention!

,

Hacking can kill — and cyberattacks can lead to warfare

Hacking can kill. To take the most obvious example, take ransomware. One might argue that hackers demanding about US$300 (£230) to unlock some files is simply petty crime – unless those files were crucial to hospitals. If doctors can’t access medical files because of the WannaCry ransomware, or must postpone surgery, people can die.

It gets worse: Two Indian Air Force pilots are dead, possibly because of a cyberattack on their Sukhoi 30 fighter jet. According to the Economic Times of India,

Squadron leader D Pankaj and Flight Lieutenant S Achudev, the pilots of the Su-30 aircraft, had sustained fatal injuries when the aircraft crashed approximately 60 km from Tezpur Airbase on May 23. A court of Inquiry has already been ordered to investigate the cause of the accident.

According to defence spokesperson S Ghosh, analysis of the Flight Data Recorder of the aircraft and certain other articles recovered from the crash site revealed that the pilots could not initiate ejection before crash. The wreckage of the aircraft was located on May 26.

What does that have to do with hackers? Well, the aircraft was flying close to India’s border with China, and according to reports, the Sukhoi’s two pilots were possibly victims of cyberwarfare. Says the Indian Defense News,

Analysts based in the vicinity of New York and St Petersburg warn that the loss, days ago, of an advanced and mechanically certified as safe, Sukhoi 30 fighter aircraft, close to the border with China may be the result of “cyber-interference with the onboard computers” in the cockpit. This may explain why even the pilots may have found it difficult to activate safety ejection mechanisms, once it became obvious that the aircraft was in serious trouble, as such mechanisms too could have been crippled by computer malfunctions induced from an outside source.

Trouble in the Middle East

The political situation going on this week in Qatar might lead to a shooting war. In mid-May, stories were published on the Qatar News Agency that outraged its Arab neighbors. According to CNN,

The Qatari government has said a May 23 news report on its Qatar News Agency attributed false remarks to the nation’s ruler that appeared friendly to Iran and Israel and questioned whether President Donald Trump would last in office.

Soon thereafter, three Arab countries cut off ties and boycotted the country, which borders Saudi Arabia on the Persian Gulf. It’s now believed that those stories were “fake news” planted by hackers. Were they state-sponsored agents? It’s too soon to tell. However, given how quickly Bahrain, Saudi Arabia, and the United Arab Emirates reacted — and given how hard Saudi Arabia is fighting in Yemen — this is troubling. Could keystrokes from hackers lead to the drumbeat of war?

As a possibly related follow-up, Qatar-based Al-Jazeera reported on June 8 it was under cyberattack:

The websites and digital platforms of Al Jazeera Media Network are undergoing systematic and continual hacking attempts.

These attempts are gaining intensity and taking various forms. However, the platforms have not been compromised.

In the First World War, the feared new weapon was the unstoppable main battle tank. In the Second World War, it was the powerful aircraft carrier. During the Cold War, we worried about ICBMs raining destruction from the skies. Today… it’s cyberwarfare that keeps us awake at night. Sadly, we can’t hide under our desks in the event of a malware attack.

,

It’s suddenly harder to do tech business in China

Doing business in China has always been a rollercoaster. For Internet businesses, the ride just became more scary.

The Chinese government has rolled out new cybersecurity laws, which begin affecting foreign companies today, June 1, 2017. The new rules give the Chinese government more control over Internet companies. The government says that the rules are designed to help address threats causes by terrorists and hackers – but the terms are broad enough to confuse anyone doing business in China.

Two of the biggest requirements of the new legislation:

  • Companies that do business in China must store all data related to that business, including customer data, within China.
  • Consumers must register with their real names on retail sites, community sites, news sites, and social media, including messaging services.

According to many accounts, the wording of the new law is too ambiguous to assure compliance. Perhaps the drafters were careless, or lacked of understanding of technical issues. However, it’s possible that the ambiguity is intentional, to give Chinese regulators room to selectively apply the new laws based on political or business objectives. To quote coverage in The New York Times,

One instance cited by Mats Harborn, president of the European Union Chamber of Commerce in China, in a round-table discussion with journalists, was that the government said it wanted to regulate “critical information infrastructure,” but had not defined what that meant.

“The way it’s enforced and implemented today and the way it might be enforced and implemented in a year is a big question mark,” added Lance Noble, the chamber’s policy and communications manager. He warned that uncertainty surrounding the law could make foreign technology firms reluctant to bring their best innovations to China.

The government organization behind these laws, the Cyberspace Administration of China, offers an English-language website.

Keep Local Data Local

The rules state that companies that store data relevant to Chinese customer overseas without approval can have their businesses shut down. All businesses operating in China must provide technical support to the company’s security agencies in order to investigate anything that the authorities claim threatens national security or might represent a crime. According to the South China Morning Post, the new rules can affect nearly any company that moves data:

For example, rules limiting the transfer of data outside China’s borders originally applied only to “critical information infrastructure operators”. But that was changed mid-April to “network operators,” which could mean just about any business.

“Even a small e-business or email system could be considered a network,” said Richard Zhang, director of KPMG Advisory in Shanghai.

Another provision requires IT hardware and services to undergo inspection and verification as “secure and controllable” before companies can deploy them in China. That appears to be already tilting purchasing decisions at state-owned enterprises.

Compliance Will Be Tricky

According to a report on CNBC,

The American Chamber of Commerce in Shanghai has called the data localization and data transfer regulations “unnecessarily onerous,” with a potential impact on cross-border trade worth billions of dollars.

Multinationals may be better equipped to take on the cost of compliance, but “a lot of the small and medium sized companies may not be able to afford to put in the control that the Chinese government is asking for, and if they can’t put in those controls, it may actually push them out of that country and that market,” said James Carder, vice president of cybersecurity firm LogRhythm Labs.

It’s clear that, well, it’s not clear. There do seem to be legitimate concerns about the privacy of Chinese citizens, and of the ability of the Chinese government to examine data relevant to crime or terrorism. It’s also true, however, that these rules will help Chinese firms, which have a home-court advantage – and which don’t face similar rules when they expand to the rest of Asia, Europe or North America. To quote again from CNBC:

While Chinese firms are also subject to the same data localization and transfer requirements — a potential challenge as many domestic companies are going global — experts said the regulation could help China bolster its domestic tech sector as more companies are forced to store data onshore. But that could mean continued uneven market access for foreign versus Chinese companies, which is also a long-time challenge.

“The asymmetry between the access that Chinese companies enjoy in other markets and the access foreign companies have in China has been growing for some time,” said Kenneth Jarrett, the president of the American Chamber in Shanghai.

One example is that Chinese firms usually can fully own and control data centers and cloud-related services around the world without foreign equity restrictions or technology transfer requirements, but foreign cloud companies in China don’t enjoy the same environment.

The opportunities are huge, so Internet firms have no choice but to ride that Chinese rollercoaster.