Category Archives: Best Practices

Is Your DR Plan Better Than London Gatwick Airport’s?

Let’s assume that you are a major international airport that moves 45 million passengers and 97,000 tons of cargo a year,

Then let’s say you have some form of IT failure.  How do you communicate with your customers?

At London’s Gatwick airport, apparently your DR plan consists of trotting out a small white board and giving a customer service agent a dry erase marker and a walkie-talkie.

On the bright side, they are using black markers for on time flights and red markers for others.

Gatwick is blaming Vodafone for the outage.  Vodafone does contract with Gatwick for certain IT services.

You would think that an organization as large as Gatwick would have a well planned and tested Disaster Recovery strategy, but it would appear that they don’t.

Things, they say, will get back to normal as soon as possible.

Vodafone is saying:

We have identified a damaged fibre cable which is used by Gatwick Airport to display flight information.

"Our engineers are working hard to fix the cable as quickly as possible. 

This is a top priority for us and we are very sorry for any problems caused by this issue.

But who is being blasted in social media as “absolute shambles”, “utter carnage” and “huge delays”?  Not Vodafone.

Passengers are snapping cell phone pictures and posting to social media with snarky comments.

Are you prepared for an IT outage?

First of all, there are a lot of possible failures that could happen.  In this case, it was a fiber cut that somehow took everything out.  Your mission, should you decide to accept it, is to identify all the possible failures.  Warning, if you do a good job of brainstorming, there will be a LOT.

Next you want to triage those modes.  Some of them will have a common root cause or a common possible fix.  Others you won’t really know what the fix is.

You also want to identify the impact of each failure.  In Gatwick’s case, the failure of all of the sign boards throughout the airport, while extremely embarrassing and which will generate a lot of ridicule on social media is probably less critical than a failure of the gate management software which would basically stop planes from landing because there would not be a way to get those planes assigned to a gate.  A failure of the baggage automation system would stop them from loading and unloading bags, which represents a big problem.  

Once you have done all that, you can decide which failures you are willing to live with and which ones are a problem.

Then you can brainstorm ways to mitigate the failure.  Apparently, in Gatwick’s case, rounding up a few white boards, felt tip markers and walkie talkies was considered acceptable.

After the beating they took today on social media, they may be reconsidering that decision.

In some cases you may want an automated disaster recovery solution;  in other cases, a manual one may be acceptable and in still other ones, having an outage until it is fixed may be OK.

Time may play a factor into this answer also.  For example, if the payroll system goes down but the next payroll isn’t for a week, it MAY not be a problem at all, but if payroll has to be produced today or tomorrow, it could be a big problem.

All of this will be part of your business continuity and disaster recovery program.

Once you have this disaster recovery and business continuity program written down, you need to create a team to run it, train them and test it.  And test it.  And test it.  When I was a kid there was a big power failure in the northeast.  There was a large teaching hospital in town that lost power, but, unfortunately, no one had trained people on how to start the generators.  That meant that for several hours until they found the only guy who knew how to start the generators, nurses were manually running heart lung machines and other critical patient equipment by hand.  They fixed that problem immediately after the blackout so the next time it happened, all people saw was a blink of the lights.  Test.  Test.  Test!

If this seems overwhelming, please contact us and we will be pleased to assist you.

Information for this post came from Sky News.

 

Facebooktwitterredditlinkedinmailby feather

Attacks Against Office 365 Continue

Since Office 365 is the dominant office productivity suite, knocking Google on it’s butt, it is not a surprise that hackers are going after it hard.  To compare, I didn’t find great numbers and Google probably does not want me to do this comparison, but Office has 120 million paid users as of 2017 and Google has about 3 million paid users.  It is obvious why hackers go after Office.  To be fair, Google has a boatload of free users, but since those are predominantly consumers and really small businesses, the amount and quality of data to steal makes those free users a much less compelling target.

About a month ago, scammers were using emails with text in zero point type to bypass Microsoft’s security tools.  Apparently, Microsoft must of thought, if you can’t see it (after all zero is small), it can’t be a problem.  Not so.

Then hackers figured out a way to split URLs into pieces to fool Microsoft.

Now that Microsoft has closed those loopholes (the sheer beauty of cloud software – make a fix and in a few seconds, 120 million users are protected), the hackers have moved on.

So what are the hackers doing now?

In this attack, the victim receives an email with a link to collaborate on a Sharepoint document.  Of course, this email is a scam.  When the user clicks on the link in the invitation, the browser opens a Sharepoint file.

Inside the Sharepoint file is a button to open a linked One Drive file.  That link is malicious and at that point the game is over.  The hacker has the user’s Office credentials, since that is required to open the One Drive file and has installed malware on the victim’s computer.

Unfortunately, for a number of reasons, there is no easy way to block this attack.

So what should you do?

First, if you have two factor authentication turned on (everyone should!), then stealing your password is a much less effective attack.

Next, be suspicious.  Check the address link, ask why you are getting this collaboration request.  Check OUT OF BAND if the person who you think sent the request actually did send it (like talk to the person on the telephone using that antique VOICE feature).

Third, hover over links first and look at the underlying address.  If you can’t see the address or it doesn’t look right, stop and talk to your security team.

User training is key here and there are some very cost effective solutions out there.

And, of course, if you have questions, contact us.

Information for this post came form The Hacker News.

Facebooktwitterredditlinkedinmailby feather

25 Android Phones Vulnerable

No big surprise here really, but still disappointing.

Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.

When they talk firmware, I don’t think they really mean firmware.  Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware.  That stuff is buggy too.

The good news is that the bugs are not serious.  All they allow a hacker to do is:

  • Send or receive text messages
  • Take screenshots of whatever you are looking at
  • Record videos of your screen
  • Steal your contacts
  • Install malware and crimeware without your approval
  • Wipe your data

Other than that, not really a big deal.

Just kidding.  Holy cow!  That pretty much means they can do whatever they want.

Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there.  Affectionately, that software is called crapware.  Those are the apps that they will not let you remove.  But some of them are vulnerable to attack.

Android phone vendors affected include:

  • ZTE
  • Sony
  • Nokia
  • LG
  • Asus
  • and a host of smaller players

This does not mean all models were tested or all models were affected.

IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE.  THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.

Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch.  As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.

But they need to.

So what should you do?

Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches.  That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back.  In fact, old phones are the most likely to get attacked because they are the least likely to get patched.

BEFORE you buy any phone, look for the manufacturer’s guarantee of patches.  For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least.  If the manufacturer is cagey about patches and support, choose a different one.  Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”.  iPhone 4 and older are vintage.  Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year.  That doesn’t mean that they won’t patch it however.  They just won’t sell it.  The iPhone 5s is the oldest phone that supports iOS 12.  Apple does a very nice job of supporting older phones.

See how often your chosen vendor releases software patches.  Google and Apple release patches monthly.  Some vendors don’t ever release patches and others release them quarterly or less frequently.  Long wait for a patch?  Find a different vendor.

It is not just the manufacturer you have to worry about, but also all of the apps that you have installed.  Less apps is better.  Maybe not as much fun, but definitely more secure.  Uninstall anything you are not using any more.  Really. 

I know this is a pain in the tush, but, sorry, you just have to deal with it.  iPhones and Google Pixel phones are definitely the best when it comes to timely patches.

Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site.  NO. CLICKING. REQUIRED!

Don’t say I didn’t warn you.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

The Hidden Landmine When Buying (or Even Renting) a Home

All of us are used to using the Internet, right?

What if you moved into your new home and after you paid for it and moved in you found out there was no Internet service available?

One business in New York was told that Charter Communications, the local cable provider, would be happy to connect them.  Only problem was that the business needed to pay Charter $138,000 first.  Charter being a nice company, offered to pay $5,000 towards that, so the company would only owe them $133,000 and change.

This story is repeated over and over across the country.

People are often told by the local Internet Service Provider that they can get service only to find out when they actually try that it is not available.

I am going to use my personal situation to illustrate the case.

I live about 30 minutes from downtown Denver, Colorado.

Where I live there is no cable at all, so cable Internet is not an option.

The phone company offers DSL at the WHOPPING speed of one and a half megabits per second.  Not 1.5 gigabits, 1.5 megabits.  Under FCC rules, that doesn’t even qualify as broadband Internet.

Only problem is that there is no available capacity and the phone company has no plans to add capacity.

Worse yet, if you are one of the super lucky folks to have this speedy service and you sell your house, the person who buys it doesn’t get your connection.  The connection goes back into inventory and you, the new buyer, go to the end of the list.  You may get Internet in a few years; hope you can wait.

There is also no cell service where I live, so no cell calls, no text messages, no cellular Internet.  The cell companies all offer a little box called a femto cell that simulates a cell tower to give you service.  Works great, actually, as long as you have some other form of Internet connection to carry the signal from your house back to the cell carrier.

Granted I live in a sort of rural area about 25 miles from downtown Denver, but the guy who was presented with the $133,000 bill  – he was in New York City.

And sometimes, if you CAN get service, the wait time for a connection can be 6 months to a year.

That leaves you (or me) with two options:

  1. Satellite Internet.

Satellite Internet is a horrible last resort.  You basically pay by the bit and if you go over your limit, they slow down your service to a crawl or shut you down.  Worse yet, many things like Internet telephones (VoIP), VPNs for connecting to your business and those cell extenders do not work on satellite Internet.

So, while they are horribly expensive, slow and don’t work for many things, they are pretty much universally available as long as you have a clear view of the sky.

2. Point to Point Microwave.

That is what I have.  It used to be horrible, but over the last few years, it has gotten much better.  All my software works and the particular plan that I have has a cap, but it is large and there are other plans that don’t have a cap.  It is however, pretty expensive ($70 a month for only 20 megabits/second – way faster than I had with Qwest, but 1/10 the speed of cable and that includes voice and long distance).

The only problem with P2P microwave is that you have to be within the range of a receiving tower and you have to have a clear line of sight to that tower.

My provider has two towers in the area.  The only one that I have line of sight to will not run faster than 20 mb/second.  The other tower, that one of my neighbors can see (he is higher up that me) supports 50 mb/second.  The provider says that it is not likely that I will ever see 50 mb/second on my tower.

What this means is that Netflix crashes regularly.  I don’t have any little kids who gobble up bandwidth like no one’s business.  If you wind up with service like this, plan on rationing Internet.  Your kids will be thrilled.

So what do you do, especially if the Internet providers are, apparently, bold face liars?

Unfortunately, you are not in the driver’s seat.

One thing that you can do is place the order as opposed to just asking and see if the order goes through.  Just make sure you can cancel it before the install in case you don’t actually get the house.  The problem with this is that you may not find out that they cannot provide service until the day of installation.  That happened when my son bought his house.  They came out and said.  Ooops. Sorry.

Another thing to do is to research options.  In many places there are not a lot of options:

  • Cable
  • Phone company
  • Independent Internet providers
  • Point to point microwave
  • Satellite
  • Cell (really bad idea – slow, unreliable and expensive)

See HOW MANY of these options are available and what each one costs, what the limits are and what things that you want to do won’t work.

Make sure that at least 2 or 3 acceptable options, while distasteful, are available.  That way, at least, if you have to resort to option 2 or even option 3, you at least know that you can get something.

Assume that you will not have Internet for a while when you move in.  Maybe a few days; maybe a few weeks; maybe even a few months.  I managed the IT of a business that was much closer to downtown Denver and it took us 6 months to get Internet.  Try running a business for 6 months without Internet.  If that is a problem, plan an alternate.  Unfortunately, the alternate may not be attractive.  Maybe you can work at your office, if one is available.  Whatever.

JUST REMEMBER THAT THE UNITED STATES IS A THIRD WORLD COUNTRY WHEN IT COMES TO INTERNET.  ASSUME THAT.  UNDERSTAND THAT.  PLAN FOR THAT.  Then you will not be disappointed.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather