Tech Today with Ken May

How the ISP Law Change Affects Your Privacy

On Tuesday, March 28^th, Congress sent proposed legislation to President Donald Trump that wipes away landmark online privacy protections, the first salvo in what is likely to become a significant reworking of the rules governing Internet access. The legislation would kill a set of Obama-era privacy regulations for internet service providers created by the Federal Communications Commission last October.

The most notable part of the rules, which has not yet taken effect, would require broadband providers such as Verizon, Comcast, and AT&T to obtain explicit consent before selling their customers’ web-browsing histories, app-usage data, and other personal information to advertisers and other third-parties. The vote is concerned with some recent changes to what the internet is in the eyes of the American government.

In February of 2015, The Federal Communications Commission (FCC) reclassified ISPs as “common carriers,” which means they traffic in utilities. This effectively put the internet in the same category as telephones, water, gas, and other necessary components for living in terms of how it’s regulated. This allowed the FCC to enforce net neutrality laws, which force all ISPs to provide access to all kinds of content on the internet equally. (In the past, ISPs would slow down users’ traffic when visiting certain websites or sharing files to discourage them from engaging in these acts.) Classifying the internet as a utility also meant ISPs had to follow the privacy guidelines previously written for telephones. This legislation would effectively roll back many of these changes, allowing ISPs to do whatever they want with their users’ browsing data.

So, this is a complicated issue. What’s the easiest way to get my privacy back?

Well, states could try to implement some form of the FCC rules for their own residents. ISPs might conceivably change their practices nationwide if enough states do so, or customers in some states could have fewer privacy protections than customers in other states.

“As on climate change, immigration and a host of other issues, some state legislatures may prove to be a counterweight to Washington by enacting new regulations to increase consumers’ privacy rights, a New York Times article said this week. The Times article mentioned laws in California, Connecticut, Nebraska, and West Virginia and proposals for new laws in Illinois, Hawaii, and Missouri, but none of these laws and proposals was specifically targeted at ISPs.

But let’s assume that doesn’t happen. Now what?

Last year, Opera, the little browser that everyone seems to forget about, rolled out the best vpn in canada server. It’s easily the simplest, cheapest, and most reasonably private way to access a VPN that will circumvent your ISP right now. It does come with a slew of caveats though. An Opera spokesperson said that the VPN is a no-log service, which is good, however, while Opera is a Norwegian company and therefore acts under Norwegian law, SurfEasy, the company that provides the VPN service, is a Canadian company, and Canada is known to hand over intelligence data. Regardless, using the VPN means you’re agreeing to SurfEasy’s Privacy Policy. Opera was also purchased by a Chinese consortium last year, so any data Opera does collect could be accessible by that company at some point. Also, keep in mind, only the web browsing you do in Opera will go through their VPN. It’s not perfect, but it’s a good step forward. Hopefully, we see something similar implemented in other browsers. If you were interested in learning more about VPNs check out HideMyAss Review. They have some interesting insights into VPNs.

h/t Business Insider, Game Informer, Lifehacker, Ars Technica

Tech Today with Ken May

How did Amazon take down the internet?

On Tuesday, February 28^th, an Amazon cloud server, specifically an AWS cluster of servers in the US-EAST-1 region, stopped responding. Sites and web apps like Mashable, Trello, Giphy, Quora, Netflix, Spotify, Slack, Pinterest and Buzzfeed, as well as tens of thousands of smaller sites all were suddenly down or slowed to a crawl. To the average person, all we saw was that a ton of sites and apps in common usage were not working. How does this happen?

It was so bad that Amazon wasn’t able to update its own service health dashboard for the first two hours of the outage because the dashboard itself was hosted on AWS.

“This is a pretty big outage,” said Dave Bartoletti, a cloud analyst with Forrester. “AWS had not had a lot of outages and when they happen, they’re famous. People still talk about the one in September of 2015 that lasted five hours,” he said.

The reason this affected so many sites is because Amazon’s AWS platform hosts virtual servers used by all of these businesses. Amazon’s S3 cloud storage systems were also affected. SO, even a site not running on an AWS server might have issues if it’s data was on S3. For example, a business might store its videos, images or databases on an S3 server and access it via the Internet.

As it turns out, it was all due to human error. A simple typo. As Amazon explains it, some of its S3 servers were operating rather sluggish, so a tech tried fixing it by taking a few billing servers offline. A fix straight from the company’s playbook, it says. “Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.” Whoops.

As for why the problem took so long to correct, Amazon says that some of its server systems haven’t been restarted in “many years.” Given how much the S3 system has expanded, “the process of restarting these services and running the necessary safety checks to validate the integrity of the metadata took longer than expected.”

Cyence, an economic modeling platform, shared some data that show the ramifications:

-Losses of $150 million for S&P 500 companies

-Losses of $160 million for U.S. financial services companies using the infrastructure

Apica Inc., a website-monitoring company, said 54 of the internet’s top 100 retailers saw website performance slow by 20% or more.

Ouch!

Amazon apologized for the issue and said that it has put schemes in place to avoid the same problems caused by human error in the future. Let’s have this stand as a reminder to have adequate failover systems in place! Never put all your eggs in one basket.

Cybersecurity While Traveling
by Ken May

While your network at home or at work may be secure, you should assume that any network you connect to when traveling cannot be trusted. You never know who else is on it and what they may be doing. Here are some simple steps that go a long way to protecting you and your data before you travel:

• The safest information is information you don’t have. Identify what data you need and only bring that information. This can significantly reduce the impact if your devices are lost, stolen, or impounded by customs or border security.
• Lock your mobile devices with a strong passcode. if it’s stolen or lost, people cannot access your information on it. Also, enable full disk encryption. For most mobile devices, this is automatically enabled when you use a screen lock.
• Install or enable remote tracking software. Some kinds can even remotely wipe the device.
• Update all your devices’ applications, and anti-virus software before leaving. Many attacks focus on systems with outdated software.
• Do a complete backup of all your devices. This way, if something does happen to them while traveling, you still have all of your original data in a secured location.

Once you begin your travel, ensure the physical safety of your devices. For example, never leave your devices in your car where people can easily see them, as criminals may simply smash your car’s window and grab anything of value they can see. While crime is definitely a risk, according to a recent Verizon study, people are 100 times more likely to lose a device than have it stolen. This means always double-check that you still have your devices when you travel, such as when you clear security at the airport, leave a taxi or restaurant, check out of a hotel room, or before you disembark from your airplane. Remember to check that seat back pocket.

Accessing the Internet while traveling often means using public Wi-Fi access points, such as ones you find at a hotel, a local coffee shop, or the airport. There are two problems with public Wi-Fi: you are never sure who set them up and you never know who is connected to them. As such, they should be considered untrusted. In fact, this is why you took all the steps to secure your devices before you left.

In addition, Wi-Fi uses radio waves, which means anyone physically near you can potentially intercept and monitor those communications. For these reasons, you need to ensure all of your online activity is encrypted. For example, when connecting online using your browser, make sure that the websites you are visiting are encrypted. You can confirm this by looking for ‘HTTPS://’ and/or an image of a closed padlock in your address or URL bar. In addition, you may have what is called a VPN (Virtual Private Network), which can encrypt all of your online activity when enabled. This may be issued to you by work, or you can purchase VPN capabilities for your own personal use. If you are concerned that there is no Wi-Fi you can trust, consider tethering to your smartphone. Warning: this can be expensive when traveling internationally. Check with your service provider first.

How to securely dispose of your mobile device
by Ken May

Mobile devices, such as smartphones, smartwatches, and tablets, continue to advance and innovate at an astonishing rate. As a result, some people replace their mobile devices as often as every year. Unfortunately, too many people dispose of their devices with little thought on just how much personal data is on them. If your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.

Typical information can include:

• Where you live, work, and places you frequently visit
• The contact details for everyone in your address book and applications, including family, friends, and coworkers
• Call history, including inbound, outbound, and missed calls
• SMS (texting), voice, and multimedia messages
• Chat sessions within applications like secure chat, games, and social media
• Location history based on GPS coordinates or cell tower history
• Web browsing history, search history, cookies, and cached pages
• Personal photos, videos, audio recordings, and emails
• Stored passwords and access to personal accounts, such as your online bank or email
• Access to photos, files, or information stored in the Cloud
• Any health-related information, including your age, heart rate, blood pressure, or diet

Regardless of how you dispose of your mobile device, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to be sure you first erase all of that sensitive information. You may not realize it, but simply deleting data is not enough; it can easily be recovered using free tools found on the Internet. Instead, you need to securely erase all the data on your device, which is called wiping. This actually overwrites the information, ensuring it cannot be recovered or rendering it unrecoverable. Remember, before you wipe all of your data, you most likely want to back it up first. This way, you can easily rebuild your new device.

The easiest way to securely wipe your device is use its “factory reset” function. This will return the device to the condition it was in when you first bought it. We have found that factory reset will provide the most secure and simplest method for removing data from your mobile device. The factory reset function varies among devices:

• Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings
• Android Devices: Settings | Privacy | Factory Data Reset

In addition to the data stored on your device, you also need to consider what to do with your SIM card. When you perform a factory reset on your device, the SIM card retains information about your account and is tied to you, the user. If you are keeping your phone number and moving to a new device, talk to your phone service provider about transferring your SIM card. If this is not possible, for example, if your new phone uses a different size SIM card, keep your old SIM card and physically shred or destroy it to prevent someone else from re-using it. Also, be sure to remove any SD cards, if you have them.

If you are not sure about any of the steps covered in this article, take your mobile device to the store you bought it from and get help from a trained technician. Finally, if you are throwing your mobile device away, please consider donating it instead. There are many excellent charitable organizations that accept used mobile devices.

References: SANS Ouch 12/16 Newsletter, smarterforensics.com

Four Leaders in the Ransomeware Game
by Kenneth May-Swift Chip

You’ve heard of CryptoLocker, right? Sure, it’s the media favorite, but there are a lot of other players these days that are worth more than an honorable mention. As an MSP, you know how important it is to stay current on the sheer breadth and depth of these types of threats—not to mention their individual characteristics—in order to keep clients protected. Let’s take a look at the lineup.

1. CryptoWall 4.0

The CryptoWall family seems to turn out a winner with every generation. Like its predecessor, the 4.0 version of CryptoWall uses phishing emails to distribute. This should come as no surprise, since phishing remains the single most effective way to deliver a payload. But this latest iteration doesn’t play by the old rules; not only are the victim’s files encrypted, the names of the files are randomized so the victim no longer knows which file is which. By creating so much confusion about how much file damage there really is, the new CryptoWall increases the chances that victims will pay out.

CryptoWall 4.0 also includes a free decrypt demo, which convinces victims that the decryption routine they need to get their files back is easy, and that paying the ransom will actually get their files back.

• Phishing email attachment is source of payload
• Randomizes victim’s filenames to create confusion
• Offers free decrypt demo to add credibility

2. PadCrypt

What sets this new ransomware apart from the pack is its willingness to interact with the public; PadCrypt includes a chat interface embedded into the product. The process of getting a Bitcoin wallet address, filling it with coins, and sending payment securely can be complicated, so this chat feature adds a more human support element, helping the perpetrators ensure that their victims remit ransom payments promptly. (Isn’t that nice?) This might be a bit more difficult in situations where victims have cold-stored their wallet (see this article here), in which case you might have to just move onto the next one.

• First ransomware with chat support
• Communicates via Darknet to avoid being traced
• “Helps” even less savvy victims pay up

3. TeslaCrypt

TeslaCrypt was something of an up-and-comer, specifically targeting gamers by encrypting the files they need for their games. This included saves, any mods, and profiles like DayZ. Because TeslaCrypt was being sold on the Darknet by non-authors, the original authors chose to release its master key to the public to permanently diffuse the threat. As diverse and competitive as the ransomware sphere seems to be, however, we might end up seeing this player again next season.

• Accounted for ~11% of distributed ransomware
• Attacked over 200 extensions on newer variants
• Specifically targeted gamers (Valve, Bethesda, Unreal Engine files)
• Got around 3rd party defense to deliver polymorphic payloads at root level

4. RaaS (Ransomware-as-a-Service)

RaaS isn’t really a player, per se, but it was created for criminals by criminals to open the playing field to hackers of all skill levels. With RaaS, almost anyone can design encrypting ransomware payloads and then distribute them from their existing botnets. Hackers pay for this service by handing off a cut of their spoils to the RaaS author.

• Enables almost anyone to make ransomware
• Portal for malware generation is exclusively in Darknet (typically invite-only)
• Intended for less-skilled cybercriminals who rent botnets
• The malware author who created the portal takes a commission

Conclusion

Although the number of players keeps growing, and their skills and strategies keep getting more advanced, there are steps that we can take to maximize defense and help clients win hands down. Educating yourself and your customers about the various offensive strategies and types of exploits favored by today’s ransomware is key—as well as setting up a winning defense with next-generation endpoint protection that utilizes collective threat intelligence to hit hard and proactively protect against constantly-evolving malware.

Safe Email Practices-part two
by Ken May-Swift Chip

3. Handle Attachments Safely.

Don’t open attachments unless you are absolutely sure about what they are and who they came from.
Even attachments that were sent directly to you by a known sender might contain malicious code.

Be especially careful with MS Word & Excel files.
When opening Microsoft Word or Excel attachments containing macros, always select the “Disable Macros” option if you are not sure if there should be a macro.

Beware of Dangerous File Types!
Some file types have been deemed unsafe by Microsoft. Most of these file types are executable or exploitable and are considered unsafe to send and receive as email attachments. SSU’s email servers scan all incoming email messages for attachments using these unsafe file types. If you also use an off-campus email address, you should be aware of these unsafe file types. Never open zip files, exe files or one of these unsafe file types sent in email. While many of these file types can only harm computers running Windows, some file types are potentially hazardous on Macintosh computers.

Windows Users – Make Extensions Visible
Some malicious attachments will “pose” as a harmless file type like digital image by including that file type extension in its name. You might get an attachment called “hawaii.jpg” and think it’s a picture from your friend’s vacation. But it might actually be a .pif file, one of the exploitable file types. This can happen because Windows does not display file extensions by default, so a .pif file named “hawaii.jpg.pif” will appear as “hawaii.jpg”

4. Don’t Unsubscribe.

Spammers often include an “unsubscribe from this list” link in their messages. This makes them appear more responsible and reputable, but they often use this as a way to confirm your email address so they can send you more spam or sell your email address to other spammers. If you don’t want it, mark it as junk and delete it.

5. Be a Good Internet Citizen.

Don’t use your email in ways that will contribute to the problem.

Don’t send unsolicited email and attachments.

Don’t forward chain letters.

Don’t respond to or participate in email hoaxes.

Don’t send attachments which use the “unsafe” file types.

Don’t post your email address (or other people’s addresses) on publicly accessible web pages.

Use a “disposable” email account (a free account from Yahoo or Hotmail) for online shopping and posting to online discussion boards.

by Ken May-Swift Chip

Why? Unsafe computing can corrupt your files, expose the contents of your internal drive to strangers, cause other computers to become compromised, and even allow your computer to be used by spammers to send millions of unsolicited emails.

Using safe email practices helps you:
Protect your inbox
Protect your computer
Protect your privacy
Protect your friends and neighbors

Here are recommendations you should follow to protect yourself when using email.

1.Screen messages before viewing them, and delete anything that appears suspicious. Carefully examine your list of unopened messages.

Do any of them come from people or addresses you don’t recognize? Do the subject lines have words with too many spaces, or long random numbers? Do they seem too good to be true, or somehow odd? If so, it’s probably best to just delete the message along with any attachments.

Wait! Don’t open that email yet…

If a message has attachments don’t open it unless you know the sender and are expecting the attachment. If you’re not sure what it is, contact the sender before opening the message and ask exactly what the message and attachment is.

Don’t be fooled by Dirty Tricks.

Most computer worms (a kind of malicious program) spread themselves via email by spoofing addresses found in the infected computer’s address book and sending copies of itself to other addresses in the address book, so it’s very likely that an infected message can appear to come from someone you know. Many of these messages will use vague or generic subject lines like “Re:     ” or “Hi.” Others will try to look like they come from a technical support service, or even from Microsoft. Be careful about opening these.

Always confirm a Wire Transfer.

An extremely common attack we are seeing is for an email to come in that appears to be from a user in the company. If the email address matches exactly, this is called “spoofing.” Also check to see if the domain name is slightly off. For instance, instead of “gmail.com” it says “gmaii.com.” These emails often request a wire transfer, and are targeting accountants and CFOs. Please verify with the person directly.

2. Open your messages, but beware the Next and Previous buttons.

Using the Next and Previous buttons to open and move from message to message is convenient but dangerous, especially if you don’t screen messages thoroughly, or if new messages come in while you’re reading other screened messages.