Did the Feds Kill Cell Service During Capitol Riots – No, Rioters Did

This one is gonna get a little geeky, so if that is not your cup of tea, but can just skip this post knowing that the feds did not shut down cell service to keep the crowd from communicating; the crowd did it to itself.

Many people reported that they had no cell service as the rioters stormed the Capitol. These reports are accurate, but here is what likely happened.

One 4G cell can reasonably handle a hundred users. After that, everyone else gets the equivalent of a busy signal.

A cell site can have multiple cell sectors. A Verizon one off the west lawn of the Capitol has 12. 12×100 = 1200 calls. 2 blocks south is another one with 8 sectors. A few blocks north is one with 5. Assuming all of those are pointed directly at the Capitol – and they are not, we have (12+8+5) x 100.

AT&T appears to have 6 sites with about 23 cells.

T-Mobile appears to have 6 sites with 38 cells.

And Sprint has 7 sites with 30 cells.

Add those all together (25+23+38+30) x 100 and you might be able to support as many as 11,500 users.

But if all of the AT&T slots are in use, it makes no difference to your phone is Verizon has capacity. Add to that the fact that probably less than half of those cells are pointed at the Capitol and maybe, if you are lucky, 5,000 can get service.

Then you have the problem of network bandwidth. If everyone is streaming video in real time that takes a lot more bandwidth than calls to grandma.

On a normal day, that is fine.

But when there are tens of thousands people are there and a lot of them are trying to use the phone, it is guaranteed that some people are going to be out of luck.

In places like football stadiums, the carriers have data about how many of the say, 80,000, people want to use their phone at once, where they are in the stadium and statistically, they know exactly how much capacity to build.

In this case, no one called the cell carriers a year in advance to say that we plan to invade the Capitol at 1PM on this day and would you please make sure that you have enough capacity.

Even if they had, there would be no way for the carriers to where in or out of the building the people were and which carrier they used. One off events are almost guaranteed to fail.

Which brings us to the point that in case of a disaster, counting on your cell phone to work is like tossing a coin. Your land line, assuming the infrastructure has not been damaged, will more likely work because the carrier knows where each phone is and they can build enough capacity.

Credit: PC Magazine

Trump Bans 8 More Chinese Apps

Donald Trump has signed an executive order banning the use of eight Chinese apps, namely Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.

The EO says that the apps can track users and capture personal data –

Just like, say, Facebook or Fox News or any other American app.

But Trump doesn’t like it that China is collecting that data because, basically, China bad. And, realistically, that is hard to argue with.

Part of the problem is that users “over share”.

Another part of the problem is that users opt for convenience over security and that means that these apps – including all of the American apps – can vacuum up an amazing amount of data that lives on most user’s phones.

Consider this. The last time YOU installed an app on your phone it probably asked for some permissions. Did you consider whether that app really needed those permissions? Almost no one else does either.

Some how Trump ties what these apps are doing to the Anthem and Office of Personnel Management breaches. I guess in the sense that all of those desire to collect your data – just like Twitter does – that is true. I am sure that even though Trump hates Twitter, he would hate it even more if it was not financially viable and disappeared. Therefore, if they have to harvest your data without any real permission – yes you can disagree, but if you do, they will delete your account, that is okay.

The basic difference here is not WHAT is being done, but rather WHO is doing it. All apps collect, use and monetize your data. Who are the good guys is a little less clear.

The order doesn’t take effect for 45 days, so likely it will be up to the next administration to figure out what to do.

Personally, I would be fine if half of the apps on the Apple and Android stores just went poof. No, actually 90% would be a good number to banish. I would not miss them at all. Just my opinion. Credit: The Register

Nashville Bombing Part 2

As I said last week, while the bombing is a horrible event, it does point out how brittle our telecommunications world is. That being said, for most companies, the rest of the IT infrastructure is probably more brittle.

Companies should use this as an opportunity to review their situation and see if they can make improvements at a price that is affordable.

While AT&T was able to strike a deal with the City of Nashville to commandeer Nissan Stadium, home of the Titans, to set up a replacement central office, you probably will not get the same treatment if you asked.

AT&T was also able to deploy 25 tractor trailers of computer equipment to replace the equipment that was damaged.

Finally, AT&T was able to temporarily reassign personnel with every skill that they might possibly need from fiber techs to computer programmers. Again, you likely would not be able to do that.

The question for you to “game out” is what are my critical vendors and what would I do if they had a meltdown. I don’t mean a 30 minute outage, I mean a meltdown. We have seen, for example, tech companies that have gotten hit by ransomware.

Perhaps, like many companies, you use a managed service provider or MSP. A number of MSPs have been hit by ransomware and when they do, often so do their customers. Does your MSP have the resources to defend all (or most of) its customers from a ransomware attack at once. How long would it take your MSP to get you back to working? Even large MSPs (which equals many customers) likely don’t have the resources.

If that were to happen to you – and of course, they have the only copies of your data, right? – what would they do and what would you do?

Maybe your servers are hosted in your office. There are a lot of possible events that could occur.

Even if your servers are in a colo, things can occur that can take you down.

Here is one thing to start with –

For each key system from personnel to public web sites, both internal and at third parties, document your RECOVERY TIME OBJECTIVE or RTO. The RTO is the maximum acceptable downtime before recovering. For example, for payroll, it might be 24 hours. But what if the outage happens at noon on the day that payroll must be sent to your bank? So, think carefully about what the maximum RTO is and remember that it will likely be different for different systems.

Then, for system, document the RECOVERY POINT OBJECTIVE or RPO. The RPO is the point in time, counting backward from the event, that you are willing to lose data. For example, if this is an ecommerce system, maybe you are willing to lose 30 minutes worth of orders. Or maybe 5 minutes. If it is an accounting system, maybe it is 8 hours (rekeying one day’s worth of AR and AP may be considered acceptable). Again each system will likely be different.

Then get all of the lines of business, management and the Board (if there is one) to agree on those times. Note that shorter RTOs and RPOs mean increased cost. The business units may say that they are not willing to lose any data. If you tell them that you can do that, but it will cost them a million dollars a year, they may rethink that. Or management may rethink that for them. The key point is to get everyone on the same page.

Once you have done that, make a list of the possible events that you need to deal with.

  • Someone plants a bomb in an RV outside your building and there is severe physical damage to your building.
  • Or maybe the bomb is down the block, but the force of the blast damages the water pipes in your building .
  • Or, the bomb is down the block and there is no damage to your building, but the city has turned off water, power and gas to the building. And the building is inside a police line and will be inaccessible while the police try to figure out what is going on.
  • In the case of AT&T, they had to pump three FEET of water out of the building. Water and generators are not a good mix. Neither are water and batteries. While AT&T lost their generators as a result of the blast, their batteries were distributed around the building so they did not lose ALL of their batteries.

Note that you do not need to think up all the scenarios yourself. You can look at the news reports and after-action reports from other big, public meltdowns. Here is another article on the Nashville situation.

Now create a matrix of events and systems for your RTO and RPO numbers. In the intersection box, you can say that you already can meet those objectives or that it will cost $1.29 one time to meet it or a million dollars a year. You need to include third party providers if they run and manage any systems that are critical to you.

Once you have done all that, you can go back to management and the lines of business and tell them here is the reality – what risk are you willing to accept? This is NOT an IT problem. This is a business problem.

The business will consider the likelihood of the event – even after Nashville, an RV filled with explosives is an unlikely event and the cost to mitigate the problem is likely high. For some systems the cost may be low enough and the risk high enough that management says fix it. For other systems, probably not.

The key point is that everyone from the lines of business to management to the Board all understand what the risks are and what the mitigation costs are. From this data, they can make an informed BUSINESS decision on what to do.

If you need help with this, please contact us.

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week

Covid. Vaccines. Privacy.

We definitely live in interesting times.

The virus is surging and at the same time morphing.

Two different vaccines have been approved for emergency use. More are on the way.

The country is discovering that actually getting vaccines in people’s arms is harder than talking about it.

AND, there is talk of you having to install an app on your phone to prove that you have been vaccinated in order to get on a plane, enter some venues or visit some countries. Which vaccine. How many does. What dates.

The makers of these apps promise that your data is secure.

Maybe it is safe. To be honest, I don’t know.

Unlocking your phone and giving it to some stranger in a foreign country to prove you have been vaccinated doesn’t seem like a great strategy to me.

The process works by generating a QR code and displaying it. Maybe that can be done with the phone still locked.

And of course, everyone has their own smartphone. Everywhere in the world. Including your grandma.

Of course, there are going to be multiple apps. I am sure they will all be compatible. And certainly no one is going to say that they only accept app ‘X’ and not the one that you already have installed.

Finally, I am sure that there won’t be a black market for fake credentials and all of the apps will be hacker proof.

I wonder if there is going to be a service that you can pay for to fake whatever QR code you want.

Granted this qualifies as a “first world problem”, but we will watch what happens and report back over the next several months. Credit: CNN

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed