Starting Friday, Salesforce.Com had a fifteen-hour outage due to their having to “pull the plug” after a script went rogue and gave all comers full access to the database. Anyone logged in could do anything to anyone’s data.
Not cool. Restricting access was the right thing to do.
The interesting question in my mind is how people will evaluate this incident as it relates to their future judgment on the safety of SaaS platforms like Salesforce. I think people will overestimate the dangers for much the same reasons that many more people are afraid to fly than to drive.
When making estimates of danger, humans take the impact of an event much more seriously than the probability, especially if the probabilities are relatively small. Worse impacts cause us to overestimate probability, even where there is no correlation between the two. This leads to overly pessimistic projections on high-profile risks (Chinese hackers steal all our designs!). It also creates corresponding under-reactions to more present risks (Users can’t be bothered to use 2FA, easily get phished).
Success in information security, as well as business and life in general, depends on being able to view these numbers objectively. They’re just numbers, after all.
As cool as it was being at BSides Rochester yesterday, because of my role in it I did not get to attend any of the talks!
Lucky for me, almost all the talks are now or will soon be online! See the whole raft of videos here.
And then there’s #hatchan. It’s not just a hat, it’s an institution. It’s a WiFi hotspot. It’s a server. It’s hackable. At the end of the day, when he shut it down, there was an audible groan from a segment of the attendees.
You have probably seen news of businesses and institutions being attacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, Fusob and WannaCry have floated by. But, what is ransomware? How does it work? How can I avoid being stung?
Simply defined, ransomware is a specific type of malware that denies its victims the use of their data until a ransom is paid.
Ransomware attacks typically operate as follows:
The trojan is installed on the victim computer system
It collects a list of the files it can access that it will encrypt
It contacts a central server, operated by the attacker
The server generates a unique encryption key for that victim, which will be stored on the server and sent to the trojan program on the victim machine
The trojan encrypts the targeted files using that key. In modern examples, this encryption is quite strong
Once the encryption is complete the trojan destroys its local copy of the key
The trojan then communicates to the victim that the files have been encrypted,
It offers to provide decryption after a payment is made, usually within a fairly narrow time window.
Ransomware gains access to victim machines through the usual malware routes: users click on dodgy links in email, or open malicious file attachments. Web pages or banner ads that have been compromised can provide “drive-by” downloads of all kinds of malware. Whereas other malware may join victim computers to botnets, get them to start mining cryptocurrency, or participate in distributed denial-of-service attacks, ransomware has the simple goal to get money to its operators immediately.
The files that ransomware encrypts are usually documents and spreadsheets, images, music and video files, HTML and source code files, and ZIP archives. Ransomware does not typically attack the other software on the system. Thus, a victim’s copy of Office and Photoshop may be undamaged, but all their work in those systems will be unusable. Also of note: most ransomware encrypts files on all available network shares as well as the local disk. So a small office can be wiped out from just one infected computer, since small offices often only have a single hierarchy of file shares and everyone can get to them.
If implemented well — and it frequently is — the server-to-trojan protocol of generating a key, encrypting with it and then discarding the local copy of that key is extremely difficult to crack. When a business confronts a ransom demand, often the cheapest way to get back into operation is to pay the attacker. Despite all the larger reasons that this is a horrible idea, the equation of paying $X to get the decryption key against a possible $X00 to $X000 to recreate all the data makes the decision to pay a no-brainer. The sole glimmer of good news here is this: the vast majority of attackers, when paid, actually provide the key and allow recovery of the data. In some cases, they have even provided technical support to assist “customers” having difficulty doing the decryption. Why? If they do not keep up a reputation for providing what is paid for, the “market” will stop paying them and seek alternate means of recovery. And they just want the money.
There is one strong defense against ransomware: backups. The backups should be as current as is practical. Real-time backups are ideal but not always feasible. But if a business is only facing the prospect of recreating one or two days of data as opposed to weeks or years, then a decision not to pay off criminals becomes much more reasonable. To be safe from the encryption of a ransomware attack, backups should be stored somewhere that is not constantly connected to the main systems, or in any case not accessible as a normal file share. So if you run a backup system in the office that places all the backups on a server, do not also use that server to host file shares.
With good recent backups in hand, the strategy for responding to a ransomware attack is much less stressful: clean or re-image the machines affected, restore the data, get back to work. As I am fond of saying, security, done correctly, is almost boring.
“Relevant” is the ad industry’s current excuse for all the spying, tracking and intruding on our lives that they are currently tormenting us with.
They “need” to suck down every aspect of our personal lives and habits and idle thoughts… so they can show us better sneaker ads. Sneaker ads that creepily show up the minute we register to run in a 5K. Or walk past a Foot Locker.
This is why I block all ads, everywhere on the Internet. I was reading the descriptions of what it’s like for people experiencing this kind of ad stalking and I have to admit: I can’t relate. I experience exactly none of it. And I’m glad.
When media websites grouse at me for running an ad-blocker, I mentally respond, well, make the ad experience less hideous. Make it less of a personal violation. Wipe out the malware. But these things, they will not do. Instead, they scold and threaten. So if a site still won’t allow me to proceed without white-listing it in my ad blocker, fine. I move on with life.
And oh yeah… if you think it’s not getting worse… the New York Times article linked above mentions ad-blocking as a possible course of action. Not too long ago, that was a glaring omission.
Ah yes, breaches. Not really a much better movie, I’m afraid, yet we keep seeing it over and over. Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses hold up.
They do seem to arrive in clusters, also. The latest one-two punch is Marriott, then Quora. Marriott managed to get hacked and then not detect it for four years, finally now disclosing that half a billion-with-a-B guest records were exposed. Credit cards, passport info, all the good juicy stuff.
This revelation was followed-up last night by Quora revealing that “only” 100 million-with-an-M records were breached. This email notification went out overnight and resulted in 150,000 people going, Dammit, my Quora account got hacked! and 99,850,000 people going, Wait… what? I have a Quora account?
In any case, the odds are very good that you have been among the nine-or-ten digit totals of a few data breaches already. Here are a few tips on how you can deal with this and get on with life
Take the monitoring. When they offer you credit monitoring free for a year or so, take it. Can’t hurt. Worth the price. But you probably won’t need it because of the other things you are going to do on this list, like…
Freeze your credit. Go to each of the major credit reporting agencies’ websites (Equifax, Experian, TransUnion) and follow their process for freezing your credit reports. Yes, this will make impulsively opening new credit accounts more difficult. Why do you say that like it’s a bad thing?
Check your statements. Look for any phony activity. Your issuer will make good on anything you report as fraudulent on your credit cards if you report it promptly. Don’t wait. By the way: banks are not obligated the same way to make good on fraudulent activity on debit cards – even if you use them as a credit card at the point of sale. So in general, don’t do that. I only use my debit card in the bank’s ATMs.
Check your credit report.Like a lawyer, the credit report checking site you want is not on TV! Ignore all the catchy jingles and flying pigs with smartphones, and go to the only non-scammy site out there: annualcreditreport.com.
Manage your passwords. We’ve talked about it in the past: how your passwords need to be different at every site you log into. If they got your Quora password, let that be all they got. For those of you who are not already using a password manager, the best advice I have is this: START USING A PASSWORD MANAGER RFN. There are things sites can do to make a password-file data breach lower impact; hashing and salting are not just cooking techniques! But not every site does the right things, and not every site does the things right. And it only takes one failure to give everyone a bad day. So you have to protect yourself, and using complex passwords that are unique per site is how you do that. And the only way to keep those passwords all straight is with a password manager.
Enable Two-Factor Everywhere. Two-factor authentication is becoming widely popular since the vast majority of sites are now able to leverage things like Google Authenticator apps on users’ smartphones. This means that dedicated hardware tokens are no longer required, and the barrier to users adopting it for their own logins are as low as they can be now. Be sure you use this wherever it’s available: it means the difference between a password compromise being annoying vs. Game Over.
If you can get yourself to where you are doing these six things, Breaches can be another movie that you just make fun of.
Data centers with thousands of computers in concentrated amounts of floor space do have to expend enormous amounts of energy keeping things cool. Your home data center can almost entirely ignore this issue, except where your computers have to be enclosed.
At some point, you will want some of your servers out of sight. Any machine that provides some service via the network without being needed in front of you is a server. Home aesthetics will at some point demand that the thing get out of sight.
Your computer’s case has one or more fans that circulate air through it for cooling. The fan draws in room air, heats it some with heat generated by the components operating inside, and then ejects it back into the room. A typical room is large enough to absorb this without moving the needle much on the overall room temperature, so the process can continue more or less indefinitely.
The problem you encounter when putting a computer into a closet is, soon after the door is closed the computer is drawing in and heating already rather-hot air, and the temperature in the closet starts rising. Much over 95F/35C, and you’re going to start having components on your system board begin to behave erratically or fail.
So don’t let things in there get too hot. Check if it’s heating up steadily in there, and open the door a bit if you have to. If you can, add a vent at the bottom of the door, and an exhaust fan or two at the top. If you get a couple of 180mm fans that are designed to be installed is computer cases, you can probably work out how to power them outside a case, and you will find that they are really, really quiet.
Note: however you route your network cables in and out of the closet, be sure the door is not pinching them every time it opens or closes. Eventually, a conductor in there will break and you will get to 1) do a really “fun” troubleshooting session, then 2) shop for a new network cable.
Another thing you will want to avoid during the heating season is letting the air get too dry. If that happens, you will have a tendency to build up static electric charge on yourself as you move around. You can potentially zap your computers when you touch them, damaging random expensive things inside them.
If you can add humidity to your environment, do so. Get the relative humidity to about 50%, give or take 10%. But(and this is important!)do NOT use a misting humidifier, one that sprays droplets into the air to evaporate there. Be sure to use a humidifier that evaporates the water inside it, so the vapor that comes out is pure water. If your humidifier sends droplets of tap water into the air, when the water evaporates, it will let the salts and minerals dissolved in it float down to the surfaces in the room, forming a fine white dust that you will see everywhere. This dust has the potential to short out connections on printed circuit boards, causing all kinds of very expensive havoc.
Also don’t let the wiring in your server closet get away from you. Like this guy did.
Maybe this sounds like a stretch but, unless you live a very low-tech existence (like this guy, perhaps?), this is how we all live now in the 21st century. Oh sure, you are not going to have to have raised floor to accommodate miles of wiring, or forty tons of lead-acid batteries for power leveling, or gigantic Liebert chillers for cooling down hundreds of servers. Still, it would be a good idea to give some thought to how your environment can be more comfortable for the dozens of computing devices that make modern life tick. We don’t necessarily have to keep our homes to the strict environmental standards of large data centers. Still, it pays not to subject our computing devices to too much environmental stress.
Consider power. If a device works from a battery, which you recharge when you can, then it will be less sensitive to fluctuations in the power that comes out of your wall sockets. But devices that work straight off your line power can be quite sensitive to spikes or sags. Even if they take the power through a transformer (“wall wart”) it probably offers little or no protection from spikes that can damage the equipment.
You won’t have a large roomful of batteries through which to pass all your electricity, providing an absolute filter against voltage sags and spikes. But for any of your digital devices that run on AC power out of a wall plug, you need to consider how to condition the power they get. Though there are many options, the ones I want you to consider are a good surge suppressor and a UPS.
Surge suppressors are best for:
Devices that have some internal battery capacity, e.g. laptops
Devices that will not lose data if the power drops — at least, no data that you care about
Not all surge suppressors do much in the way of suppressing potentially damaging surges. Some are no more than power strips with a marketing makeover. I use sites like The Wirecutter to figure out which ones are worth my attention.
For devices that have much more severe consequences when the power drops, you should be looking at a UPS. A UPS is a teeny-tiny version of that roomful of batteries you see above: the line power keeps a battery inside the UPS charged, and that battery is what actually sends power to your equipment. Consider a UPS for:
UPS’s are sized in “VA” which means volt-amps. Think of a VA as a unit of current to be supplied. The more VA you have, the longer power will last after a utility failure. But the larger the device(s) being powered, the faster it draws down VA from the UPS, so the less time you get. You can use a larger UPS to get more time or to power more devices. Remember, for a desktop computer, you’re going to want to power the display, and any attached external hard drives as well.
I typically use a UPS between 750-1000 VA for a desktop computer. This gives me enough time to finish up what I am doing, or at least get to a decent stopping point before I run out of juice. If I can shut down my computer on my own terms during a power outage, I count that a win. But in case you are not home, be sure every desktop and server is using the critical feature of most UPS’s: to connect a data cable and run a small background app that gracefully shuts down the system when the UPS informs it that the batteries are almost drained. Otherwise, all you will have done by hooking up the UPS is delayed the sudden power failure by a couple of hours.
Another trick I have enjoyed during a few thunder-stormy evenings is using a smaller UPS (maybe around 500-600 VA) to power all my network gear. The network stuff is less demanding and so lasts longer. The result is, after two hours with no power from the utility, my server and desktop are dark. But my iPad and my phone are happily using the WiFi to fetch email, check social media and even watch a little Netflix if I want. I can even use that UPS to recharge my mobile devices as needed.