Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Public Wi-fi Attacks


You may not realize it, but a common risk of working remotely or working from the road is having to connect to and work within public Wi-Fi access points. These points might be the ones you’d find in your hotel, airport, or local coffee shop. But how secure are these public networks? Who could be watching or recording what you are doing online? While a shared or public Wi-Fi connection is incredibly convenient while on the go, you are taking a risk of exposing your personal data and company information.

Here are a couple of key behaviors to reduce that risk of data exposure for people traveling and accessing public Wi-Fi.

Stay Updated

Begin by ensuring that your browsers and plugins always have the latest patches and updates. Cyber attackers are constantly strategizing ways to detect new vulnerabilities in the software you use, and your vendors are constantly patching it. Current and updated systems are much more difficult for cyber attackers to hack into, so don’t ignore those system update recommendations. In many cases, enabling automatic updates is one of the simplest ways to ensure your system stays current and secure.

In addition, before installing any software, plugins, add-ons, or extensions, be sure to check your company’s policies and procedures to ensure the programs are authorized. If you are unsure, simply ask your help desk for guidance.


Encryption is a technology that helps protect your information when transmitted over the Internet. When you connect to public Wi-Fi points, you want to be sure all of your activity online is encrypted, ensuring others cannot monitor or capture what you do online. For example, when you’re browsing the web, you want to ensure your browser is connected to websites that are encrypted. Not sure if your browser connection is encrypted? Look to the top of your browser. If you see a padlock or HTTPS next to the website address, this is an indicator that your connection to the website is encrypted.

One of the simplest and most effective ways to encrypt all of your online activity is to use a Virtual Private Network (VPN). The technology behind a VPN creates a private, encrypted tunnel for your online activity, therefore making it much more difficult for anyone to watch or monitor your online activities. A VPN can also help hide your location, which makes it much more difficult for the websites you’re visiting to determine your precise location.


Wi-Fi tethering, also known as a mobile hotspot, refers to the action of connecting one device, such as a smartphone or a tablet, to another, such as a laptop, so that you may share the internet connection between devices when a Wi-Fi connection is unavailable. When in doubt about the security of a public Wi-Fi network, it is good practice to tether your network connection off of your smartphone instead of using the public Wi-Fi.

While this may not always be possible, especially when traveling internationally, it is one of the most secure methods to connect to Wi-Fi while traveling.


Ultimately you are the best defense. If something about the Wi-Fi connection seems odd or suspicious, simply don't connect. Find another Wi-Fi network you feel more comfortable with or tether from your mobile device. In addition, many of today’s online attacks are not targeting your technology but attempting to trick or fool you. If you receive an email, message, or phone call that seems odd or suspicious especially highly urgent ones, it may be an attack. Always be on alert.

Try to remember: Engage people with actionable behaviors that they can truly exhibit. A wonderful model to help you

understand the science behind behavior change is the BJ Fogg Behavior Model. This model indicates that three elements must touch at the same moment for a specific behavior to occur: Motivation, Ability, and a Prompt. When a behavior does not occur, it is the belief that at least one of those three elements is missing. Are you motivated to change behavior? Do you have the ability to change your behavior? Are you prompted to change your behavior?

It is unreasonable to tell people in the workplace to never use public Wi-Fi. And smacking them down with an overwhelming list of detailed steps to stay secure is not only impractical, but it can also have a negative impact on workplace productivity and data security. The goal is to manage your human risk by enabling people to secure themselves in ways anyone can follow. Next time you’re traveling and need to connect to Wi-Fi, try to keep these four simple key behaviors in mind. Your data and your company will thank you.




Continue reading

Postage Provider Pitney Bowes Hit in Apparent Ransomware Attack


Postage Provider Pitney Bowes Hit in Apparent Ransomware Attack

Pitney Bowes is blaming the disruption on a 'malware attack that encrypted information on some systems,' which is preventing clients from stamping their packages. The same attack has also hit the company's 'presort' mail cataloging service for the US Postal Service.
An apparent ransomware attack has hit shipping provider Pitney Bowes, preventing businesses from adding postage to their packages and possibly affecting the US Postal Service from sending your mail as well.

Pitney Bowes is blaming the disruption on a "malware attack that encrypted information on some systems," which matches how ransomware infections generally operate.

"Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter. We are considering all options to expedite this process," the US-based company said in a statement on Monday.

The company, which has over 1 million business clients, is perhaps best known for its postage meters, which can basically stamp a package for you. According to Pitney Bowes, the company's postage meters continue to function, but the attack is preventing clients from refilling their funds to print out more postage.

As a result, some users have taken to social media to post images of their postage machines suffering from IT errors. Access to the Pitney Bowes' Send Pro Online service in the UK and Canada is also currently down.

In addition, the same attack has hit the company's "presort" mail cataloging service for USPS. However, the US Postal Service is closed today due to the Columbus Day federal holiday, so it remains unclear whether the disruption will delay mail deliveries countrywide. USPS didn't immediately respond to a request for comment.

Pitney Bowes is declining to elaborate on the attack and if the hackers behind the disruption are demanding a ransom. But there's some good news. "At this time, the company has seen no evidence that customer or employee data has been improperly accessed," the shipping provider said in Monday's statement. The company's "cross border" shipping systems also remain unaffected.

Read more here:


Continue reading

Amazon Phishing Scam in Progress


HackRead has come across a phishing scam that’s trying to trick Amazon customers into handing over their account credentials, personal information, and financial details. The phishing emails purport to be notifications from Amazon informing the recipient that they need to update their information within twenty-four hours or their account will be permanently disabled.

When a victim clicks the “Update Now” button in the email, they’ll be taken to a convincing imitation of an Amazon login page. After the victim enters their credentials, the phishing page will present a form for them to input their name, address, city, state, ZIP code, phone number, and date of birth. Next, they’ll be asked to provide their credit card and bank account information.

Finally, the phishing site informs the victim that their account has been recovered and says they’ll be automatically logged out. The victim is then redirected to the real Amazon website.

This scam is intended to get as much information as possible out of the victim, and it probably works fairly well. A victim who has already fallen for the spoofed login page is unlikely to balk at entering their personal information, since that’s what the email told them they needed to do. Once they get to the financial information page, they’re already invested in the process and haven’t seen anything unexpected, so they’re less suspicious than if they’d been asked for their credit card number at the outset.

I suggest you send employees, friends and family an email about this Scam Of The Week, feel free to copy/paste/edit:

"Bad guys are targeting Amazon customers, urgently claiming you need to update your information within twenty-four hours or your account will be permanently disabled. They count on you getting worried and quickly act without thinking it through.  

The email has several red flags like typos and bad grammar, but even if the emails are perfect—which they often are these days—it is a bad idea to click on the link in the email. Always, you should go directly to Amazon using your web browser and see if your account has any notifications. Think Before You Click."

There are multiple red flags that could have alerted observant users. The email has numerous typos and grammatical errors, and the urgent language and deadline are common social engineering ploys. Additionally, while the site’s URL attempts to hide behind a subdomain called “login-info-accountsetting-update,” the actual domain name clearly isn’t Amazon’s.

Even if none of these warning signs had been present, it’s still a bad idea to click the link provided in the email. Rather, you should go directly to Amazon using a web browser and see if your account has any notifications. New-school security awareness training can teach your employees to recognize red flags before they fall victim to a phishing attack.



Continue reading

U.S. Government Confirms New Aircraft Cybersecurity Move Amid Terrorism Fears


Aircraft security is under the spotlight after the U.S. government confirmed a move to protect citizens from cyberattacks targeting aviation. It comes amid growing concern that aviation is a major target for terrorists, who could use cyberattacks to threaten planes and passengers.

The Department of Home Security is leading the revived program alongside the Pentagon and Transportation Department that aims to test airliners’ vulnerability to hacking, according to Wall Street Journal. Few details are available, but DHS confirmed that the program would include testing actual aircraft for vulnerabilities. 

The program is focusing on protecting the electronic systems of new and old airliners from cyberattacks. Concerns have been growing after cyberattacks on other connected so-called critical infrastructure such as power grids. A U.S. government program is in place to focus on power grids Bill, which mandates the use of specific technologies to help protect the systems underpinning them.

The issue of airplane security is certainly being taken very seriously. Separately, the U.S. Air Force will also be taking a bigger role in identifying security problems in commercial aviation systems–many of which are used by the military. 

“If we don’t probe first, our adversaries will,” Will Roper, assistant secretary for acquisition, technology, and logistics, told the Wall Street Journal. “We’ve been a little complacent in not trying to attack all of the parts of the airplane.”

So far, cyberattacks targeting airlines have focused on the IT systems rather than aircraft themselves. U.K. airline British Airways is facing a huge fine after passenger data from around 380,000 bookings was breached, including bank card numbers along with cvv codes.  

But in the future, this could change. “The U.S. Airforce and most other airforces use airframes and systems that are often the same as their civilian counterparts,” says Philip Ingram, MBE, a former colonel in British military intelligence. He says the restarting of the program suggests “that secret intelligence has identified nation state and non-nation state actors potentially looking at vulnerabilities in aircraft.”

Meanwhile, Ingram says the threat from terrorism is real, but the main players have not found a way of hacking aircraft yet: “If terrorists could find a way of hacking an aircraft to bring it down, they would.  The ISIS Cyber Arm, the Cyber Caliphate Shield has lots of ambitions to carry out these sorts of attacks, but they don't have the technical capabilities.”

Modern aircraft are essentially “flying data centers in the sky,” says Ian Thornton-Trump, security head at AMTrust Europe. “It's natural for the Air Force to apply its cyber defensive and offensive skills in order to insure the logistical and refuelling fleet is robust when it comes to physical and cybersecurity. I believe this is a great idea and the Airforce is about to pick up the cybersecurity ball after the FAA–for a lot of reasons–either dropped it or had it taken away.”

He points out that the Airforce's mission of “fly, fight and win in air, space and cyberspace”’ cannot be achieved “if the civilian platforms they have prove vulnerable to cyberattack.”

Aircraft cyberattacks: Addressing with urgency

It’s a major issue: The consequences of cyberattacks targeting commercial aircraft could be “devastating” and put peoples’ lives in danger, says Andrea Carcano, co-founder of Nozomi Networks. “Airlines therefore need to develop security strategies where vulnerabilities are monitored and mitigated continuously.”

The aviation sector is facing cybersecurity challenges as it moves away from isolated, bespoke solutions and becomes increasingly connected and digitally-enabled, says Nigel Stanley, CTO of TUV Rheinland. “Separating key systems with ‘air gaps’ is no longer enough to prevent attackers accessing a system. A risk-based approach to aviation cybersecurity is needed so that manufacturers, systems integrators and aviation operators embed cybersecurity risk into their products from the very start.”

The threat from cyberattacks on critical national infrastructure such as aircraft and power grids is growing as adversaries including terrorist and nation state actors realize the damage that can be done.

It’s no surprise that the U.S. is taking steps to address this with urgency. “I think there is an increasing realisation that the cyberenvironment is the preferred environment for conflict,” says Ingram. “It is therefore essential that countries look at all potential vulnerabilities.”



Continue reading

DoorDash suffered a data breach that affected 4.9 million people


San Francisco (CNN Business) DoorDash confirmed it suffered a data breach affecting roughly 4.9 million delivery people and merchants.

In a blog post on Thursday, DoorDash said it noticed unusual activity from a third-party service provider earlier in September. After investigating the activity, it found an unauthorized third party was able to access DoorDash user data on May 4, 2019. DoorDash said it took immediate steps to block further access and improve security.
The people affected joined DoorDash on or before April 5, 2018 — people who joined after that date weren't affected, according to the blog post. The company said it will be notifying those who were.
The breach involved data such as names, email addresses, delivery addresses, order history, phone numbers and encrypted versions of passwords. In some instances, the last four digits of payment cards and bank account numbers were accessed. According to the blog post, full payment card and bank account information weren't compromised. The driver's license numbers of about 100,000 delivery people were also accessed.
In response to the breach, DoorDash said it has added more security layers to protect people's data and improved the security protocols required to gain access to this data.
DoorDash encouraged people to change their passwords, even if they weren't affected but were still concerned about the safety of their accounts.
Continue reading

Importance of Patching


Software updates are important to your digital safety and cyber security. The sooner you update, the sooner you’ll feel confident your device is more secure — until the next update reminder.

Why are software updates so important? There are a lot of reasons. Here are 5 that show why it’s important to update software regularly.

  1. Software updates do a lot of things

Software updates offer plenty of benefits. It’s all about revisions. These might include repairing security holes that have been discovered and fixing or removing computer bugs. Updates can add new features to your devices and remove outdated ones.

While you’re at it, it’s a good idea to make sure your operating system is running the latest version.

  1. Updates help patch security flaws

Hackers love security flaws, also known as software vulnerabilities. A software vulnerability is a security hole or weakness found in a software program or operating system. Hackers can take advantage of the weakness by writing code to target the vulnerability. The code is packaged into malware — short for malicious software.

An exploit sometimes can infect your computer with no action on your part other than viewing a rogue website, opening a compromised message, or playing infected media.

What happens next? The malware can steal data saved on your device or allow the attacker to gain control over your computer and encrypt your files.

Software updates often include software patches. They cover the security holes to keep hackers out.

  1. Software updates help protect your data

You probably keep a lot of documents and personal information on your devices. Your personally identifiable information — from emails to bank account information — is valuable to cybercriminals.

They can use it to commit crimes in your name or sell it on the dark web to enable others to commit crimes. If it’s a ransomware attack, they might encrypt your data. You might have to pay a ransom for an encryption key to get it back. Or, worse, you might pay a ransom and not get it back.

Updating your software and operating systems helps keep hackers out.

  1. It’s not all about you

OK, cyber security is mostly about you, but you’ve got other people to think about, too. If your device gets a virus, you could pass it on to your friends, family, and business associates. That’s why you want to keep your software and systems updated.

A trusted security program such as Norton 360TM can help keep your devices secure. And that can potentially help all those people you interact with online. But it’s also important to know anti-virus protection isn’t enough to protect your devices against all cyberthreats

  1. You deserve the latest and greatest

Updates not only patch security holes, they can also add new features and improve existing ones. You don’t want to fall behind the times, right?

In that way, software updates really are all about you. Your software program may get a new shot of stability — no more crashing. Or an update might boost program performance — more speed. You deserve no less.

You could ignore those reminders to update your software, but you might be missing out on a lot, starting with your cyber security.

Another option? If you’re still not keen on clicking “Update now,” you may be able to configure your devices to update automatically. If so, your problem is solved.


Continue reading

Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Google Project Zero is a team of highly talented security analysts with a brief to uncover zero-day vulnerabilities. If a vulnerability is found, Project Zero reports to the vendor concerned and starts a 90-day countdown for a fix to be issued before full public disclosure is made. LastPass is also in the security business, being one of the most popular password management solutions with more than 16 million users, including 58,000 businesses. Project Zero has just disclosed that a security vulnerability left some of those 16 million users exposed to the risk of credential compromise as, in an ironic twist, LastPass could leak the last password used to any website visited.

Google Project Zero analyst Tavis Ormandy stated that "LastPass could leak the last used credentials due to a cache not being updated," adding "this was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!"

Ormandy reported the vulnerability on August 29, as Project Zero" style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">issue 1930, which showed how the credentials previously filled by LastPass could be exposed to any website under certain circumstances.

Ferenc Kun, the security engineering manager for LastPass at LogMeIn, which owns LastPass, said in an" style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">online statement that this "limited set of circumstances on specific browser extensions" could potentially enable the attack scenario described.

"To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," Kun said, "any potential exposure due to the bug was limited to specific browsers (Chrome and Opera.)"

The answer, thankfully, is nothing. LastPass has already patched the vulnerability, and the fix was comprehensively verified with Project Zero. Indeed, the fix was rolled out on September 13, and Kun confirmed that "we have now resolved this bug; no user action is required and your LastPass browser extension will update automatically."

As a precaution, the LastPass update was deployed to all web browsers and not just Chrome and Opera.

Let's deal with the last part of that question first; there's absolutely no reason to stop using LastPass or your preferred password manager for that matter. "Although password managers like any other software have flaws, the benefits of using one far outweigh the risks," says ethical hacker John Opdenakker. "It’s far more likely that your accounts will get compromised by attacks that exploit poor passwords," Opdenakker says, "such as through credential reuse, than by attacks against password managers themselves."

OK, so how serious was this particular vulnerability? It certainly sounds serious enough, right? Tavis Ormandy at Project Zero allocated the vulnerability a "high" severity rating. Opdenakker isn't so sure it merits that. "I think it's most important that LastPass fixed this bug, which is certainly not a critical one, within a reasonable amount of time," Opdenakker says, "it's debatable whether it's high or medium because, as Ormandy says, it doesn't work for all URLs."

Ferenc Kun said that LastPass continues to recommend the following best practices for added online security:

  • Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Always enable Multi-Factor Authentication (MFA) for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Never reuse your LastPass master password and never disclose it to anyone, including us.
  • Use different, unique passwords for every online account.
  • Keep your computer malware-free by running antivirus with the latest detection patterns and keeping your software up-to-date.




Continue reading

Google Is Fined $170 Million for Violating Children’s Privacy on YouTube


Google agreed on Wednesday to pay a record $170 million fine and make changes to protect children’s privacy on YouTube, as regulators said the video site had knowingly and illegally harvested personal information from children and used it to profit by targeting them with ads.

Critics denounced the agreement, dismissing the fine as paltry and the required changes as inadequate for protecting children’s privacy.

The penalty and changes were part of a settlement with the Federal Trade Commission and New York’s attorney general, which had accused YouTube of violating the federal Children’s Online Privacy Protection Act, or COPPA.

Regulators said that YouTube, which is owned by Google, had illegally gathered children’s data — including identification codes used to track web browsing over time — without their parents’ consent.

The site also marketed itself to advertisers as a top destination for young children, even as it told some advertising firms that they did not have to comply with the children’s privacy law because YouTube did not have viewers under 13. YouTube then made millions of dollars by using the information harvested from children to target them with ads, regulators said.

To settle the charges, YouTube agreed to the $170 million penalty, with $136 million going to the trade commission and $34 million to New York State. It is the largest civil penalty ever obtained by the commission in a children’s privacy case, dwarfing the previous record fine of $5.7 million against the owner of the social video-sharing app TikTok this year.

Under the settlement, which the F.T.C. approved in a 3-to-2 vote, YouTube also agreed to create a system that asks video channel owners to identify the children’s content they post so that targeted ads are not placed in such videos. YouTube must also obtain consent from parents before collecting or sharing personal details like a child’s name or photos, regulators said.

The move is the latest enforcement action taken by regulators in the United States against technology companies for violating users’ privacy, indicating the Trump administration’s willingness to aggressively pursue the powerful corporations. It follows a $5 billion privacy settlement between the trade commission and Facebook in July over how the company collected and handled user data.

But critics of the settlement, including Senator Edward J. Markey, Democrat of Massachusetts, described the $170 million penalty as a slap on the wrist for one of the world’s richest companies.

“The F.T.C. let Google off the hook with a drop-in-the-bucket fine and a set of new requirements that fall well short of what is needed to turn YouTube into a safe and healthy place for kids,” Mr. Markey said in a statement.

Children’s advocates who lodged their own privacy complaint against YouTube with the F.T.C. last year said that Google had simply agreed to abide by a children’s privacy law it was already obligated to comply with. COPPA prohibits operators of online services from collecting personal data, like home addresses, from children under 13 without a parent’s verifiable permission.

“Merely requiring Google to follow the law, that’s a meaningless sanction,” said Jeffrey Chester, the executive director of the Center for Digital Democracy, a nonprofit group whose efforts in the 1990s helped lead to the passage of the children’s privacy law. “It’s the equivalent of a cop pulling somebody over for speeding at 110 miles an hour, and they get off with a warning.”

The agreement split the trade commission along partisan lines, with the agency’s three Republican commissioners voting to approve it and the two Democratic commissioners dissenting.

In a statement, two of the Republican commissioners, Joseph J. Simons, the agency’s chairman, and Christine S. Wilson, said that the settlement “achieves a significant victory for the millions of parents whose children watch child-directed content on YouTube.” They said it was the first time a platform would have to ask its content producers to identify themselves as creators of children’s material.

The agreement, they added, “sends a strong message to children’s content providers and to platforms about their obligation to comply with the COPPA rule.”

Although the settlement prohibits YouTube and Google from using or sharing children’s data they have already obtained, Rohit Chopra, a Democratic commissioner, said that it did not hold company executives personally accountable for illegal mining of children’s data. The other Democratic commissioner, Rebecca Kelly Slaughter, said that the agreement did not go far enough by requiring YouTube itself to proactively identify children’s videos on its platform.

“No individual accountability, insufficient remedies to address the company’s financial incentives and a fine that still allows the company to profit from its lawbreaking,” Mr. Chopra wrote in his dissent. “The terms of the settlement were not even significant enough to make Google issue a warning to its investors.”

COPPA, the strongest federal consumer privacy statute in the United States, gives the trade commission the authority to level fines of up to $42,530 for each violation.

Noah Phillips, a Republican member of the commission, argued that Congress should give the agency more guidance about how to levy fines.

In a blog post on Wednesday about the settlement, YouTube’s chief executive, Susan Wojcicki, said that “nothing is more important than protecting kids and their privacy.” She added, “From its earliest days, YouTube has been a site for people over 13, but with a boom in family content and the rise of shared devices, the likelihood of children watching without supervision has increased.”

YouTube said that not only had it agreed to stop placing targeted ads on children’s videos, it would also stop gathering personal data about anyone who watched such videos, even if the company believed that the viewer was an adult. The company also said it would eliminate features on children’s videos, like comments and notifications, that involved the use of personal data.

In addition to relying on reports from video creators, Ms. Wojcicki said that YouTube planned to use artificial intelligence to try to identify content that targeted young audiences, like videos featuring children’s toys, games or characters.

Under the settlement, YouTube must adopt the changes by early next year.

The privacy case against YouTube began in 2016 after the New York attorney general’s office, which has been active in enforcing the federal children’s privacy law in the state, notified the trade commission about apparent violations of the law on the site.

“Google and YouTube knowingly and illegally monitored, tracked and served targeted ads to young children just to keep advertising dollars rolling in,” Letitia James, New York’s attorney general, said in a statement on Wednesday. “These companies put children at risk and abused their power.”

Google has been forced to deal with privacy violations repeatedly in recent years. The company is subject to a 20-year federal consent order signed in 2011 for deceptive data-mining related to Buzz, a now-defunct social network. The order required Google to establish a comprehensive privacy program and prohibited it from misrepresenting how it handles personal data.

In 2012, Google agreed to pay $22.5 million to settle trade commission charges that it had violated the 2011 order by deceiving users of Apple’s Safari browser about its data-mining practices.

The company is also the subject of a lawsuit brought by Hector Balderas, New Mexico’s attorney general, over accusations that it violated children’s privacy. The suit says the company failed to ensure that children’s apps available through its Google Play store complied with the children’s privacy law. Google has asked that the case be dismissed.

The settlement on Wednesday is likely to have implications beyond YouTube. The changes required under the agreement could limit how much video makers earn on the platform because while they still make money on some kinds of ads on children’s videos, they no longer be able to profit from ads targeted at children.

To offset some of the expected losses, YouTube said it would funnel $100 million to creators of children’s content over the next three years. It said it would also heavily promote YouTube Kids, its child-focused app, to shift parents away from using the main YouTube app when allowing their children to watch videos.

The crackdown on creators of children’s content could make it financially difficult to produce such videos, said Maureen Ohlhausen, a former acting chairwoman of the trade commission.

“There is a lot of free content available for children,” she said. “You want to be sure that you don’t kill the goose that lays the golden egg.”


Continue reading

Facebook Accidentally Leaks Phone Numbers of 419 Million Users


The phone numbers of hundreds of millions of Facebook users have been discovered online in the latest major data breach for the social network.

A security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.

A total of 18 million were from" users in the UK, while around 133 million were from American accounts. 

The records contained not only the users’ phone numbers but also their Facebook identification, which can be used to discern a person’s Facebook username.

Some records included the person's gender and location details, according Sanyam Jain, the security researcher who first reported the database to the TechCrunch website.

Security experts said a succession of previous Facebook data breaches should not detract from the severity of the latest scandal.

“With 419 million phone numbers exposed, the volume of this data leak is huge,” Richard Walters, chief technology officer of Censornet, told The Independent. “These details provide cyber criminals with a head start for carrying out fraudulent activity and identity theft... It is unacceptable for companies to suffer data leaks in this way. Once again, Facebook has let its users down.”

One way the phone numbers could be exploited is through so-called SIM-swap attacks, whereby hackers intercept passcodes sent to the numbers for two-factor authentication logins.

This would allow them to break into the personal accounts of Facebook users and view private messages or hijack the user’s posts. They could also intercept one time passcodes to break into any number of personal accounts.

Facebook users whose numbers were exposed will also be vulnerable to spam calls, while one security researcher warned that hackers could actually use the data to hijack someone’s phone.

“In terms of the damage that could be done – the more a hacker knows about you the more powerful they are,” Dmitry Kurbatov, CTO of Positive Technologies, told The Independent.

“For instance, if he has information like name, surname, phone number, birth date, id number – this would probably be enough impersonate you to your mobile carrier. Then he can ask to setup call and SMS forwarding, or to swap the SIM. Essentially from there the number is hijacked.”

Facebook said the phone numbers have now been taken down and claims there is no evidence that any accounts were compromised with SIM-swapping attacks.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said. “The underlying issue was addressed as part of a Newsroom post on 4 April 2018 by Facebook’s chief technology officer.”



Continue reading

Taking Health Care Out of the Ransomware Hot Seat

For the second straight year, ransomware attacks accounted for over 70% of all malware incidents in the healthcare sector, according to the “2019 Verizon Breach Investigations Report.” Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.

Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure.


Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.

CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the home care field, is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data,” he said. “Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.

“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised,” he continued. “At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back.”

Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.

Although ransomware has been around more than 10 years, its recent rise in health care is significant as physicians become more dependent on critical, real-time patient data such as scheduling, lab results and pharmacy orders.

Without access to computerized patient data, many hospitals and clinics are frozen in their tracks. Unlike other industries where access to data is not always time-critical, being locked out of patient data can be life-threatening. Data criticality and limited cybersecurity programs make health care a prime target for ransomware, and this risk will continue to increase.

Ransomware on the Rise

A recent survey carried out by the University of Kent found that 41% of respondents hit by this type of malware paid the ransom. Each payment encourages a future generation of attackers. Ransomware takes less time and effort compared to stealing medical records, so the cost versus benefit is favorable for cybercriminals.

Another reason health care is a favorite ransomware target is that many within the industry are using out-of-date systems and applications, and most struggle with asset management, vulnerability management and patch management due to tight budgets and limited information security resources. Easy targets make good targets.

Light at the End of the Tunnel

While it may seem all doom and gloom for an industry that faces so many IT and privacy challenges, there are signs that indicate healthcare organizations are taking the challenge seriously and doing everything within their power to turn the tides.

In several recently reported breaches involving ransomware attacks, providers recovered without paying a ransom to extortionists. This offers a glimmer of hope that healthcare organizations can defend themselves adequately against such incidents.

In Syddall’s situation, he was able to take a proactive stance against ransomware using the advice he gained from a company that specializes in helping SMBs make the most of their information security budget and resources. Being aware of the threats and taking the appropriate actions is key to putting a lid on increasingly sophisticated forms of cyberattacks. While there are no silver-bullet solutions, taking a layered approach to cybersecurity can pay dividends.

“Having a knowledgeable security advisor helped me sort through a jungle of suggestions and products being pushed by vendors,” he said. “This allowed us to develop an innovative strategy that I felt confident could protect my clients’ data using a layered approach and innovative technologies—all within a budget that is reasonable for a business my size.

“Within a few weeks, I had state-of-the-art ransomware and data protection solutions seamlessly installed and configured throughout our office systems,” he added. “Equally important, A1care was able to continue to run business as normal and provide the best care to clients during installation, which was paramount to our success and reputation.”

Syddall’s statements echo the sentiments of many in the industry who just want to focus on helping patients, not triaging ransomware and other cybersecurity emergencies. Getting advice from the right security experts, employing innovative technologies, taking a layered security approach and having appropriate backup procedures are just a few of the steps organizations can take to cure the ransomware epidemic. Equally important is end-user education: Every employee should be aware of proper security protocols.

Broadly speaking, there’s still work to be done in 2019. We’ve seen some small wins, but to take health care out of the ransomware hot seat, it will take a much bigger effort from business and IT leaders in this sector before they can declare any major victories.


Continue reading

Cybercriminals Impersonate Chief Exec's Voice with AI Software


This didn’t take nearly as long as I thought it would to be used for nefarious purposes. You can’t even believe your own eyes or ears anymore.

Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.

Fraudsters are constantly looking for new ways to scam their victims. One unique case gives the security industry a glimpse of what they could do with artificial intelligence (AI) and voice recording.

As part of an incident in March, an attacker called the CEO of a UK-based energy business pretending to be the head of its German parent company. Analysts believe AI-based software was used to impersonate the chief executive's voice, as it had the slight German accent and other qualities the UK CEO recognized in his boss's voice — qualities that led him to believe the call was legitimate. The caller issued an "urgent" request to the CEO, demanding he transfer $243,000 to a Hungarian supplier within an hour's time.

The transfer went through and the money was later moved to other countries. Scammers continued to contact the UK company and make additional payment requests, according to Euler Hermes, the organization's insurer. However, the CEO grew suspicious and did not transfer the funds.

While this incident is still under investigation, the Wall Street Journal cites officials saying this impersonation attack is the first in which fraudsters "clearly" leveraged AI to mimic someone's voice. It's believed this technology could make it easier for scammers to manipulate enterprise victims, complicating matters for defenders who don't yet have the technology to detect them.


Continue reading

Municipalities Under Ransomware Attack: Lessons Learned


Hackers attack every industry sector using multiple and evolving attack vectors. In recent years they have sharpened their focus on municipalities, which are often understaffed and underfunded from a cybersecurity perspective. Archaic IT infrastructure, slashed budgets, and difficulty in retaining experienced IT security talent have put municipalities at a distinct disadvantage.

Making matters worse, new and more potent variants of ransomware are making cybercriminals a greater threat than they were just a few years ago. So far in 2019, there have more than 40 ransomware attacks on city, county, and state government networks. In some cases, entire networks, including those serving critical functions, were shut down completely for several days.

Ransomware Defined

Ransomware is a form of malware that targets both human and technical weaknesses in an organization’s workforce and IT infrastructure. This type of cyberattack aims to deny the availability of critical data and systems.

Ransomware is frequently delivered through phishing emails to unsuspecting victims. When victims click on links or attachments containing this form of malware, the files in the network become encrypted. The intruder will seek out other devices it can access through the network, including backup data, and lock down those files. In many cases, the victim often receives a pop-up message demanding a ransom to be paid via Bitcoin or prepaid debit cards in exchange for the decryption key to access the hijacked data.

Sometimes cybercriminals place a time limit on the payment of network extortion monies. The hacker might threaten to permanently delete data if the ransom is not received in time.

Types of Ransomware and Costs

In a 2019 report from Coveware, ransomware costs fall into two main categories:

  1. Recovery of cost: this includes the ransom paid, forensic reviews, and help required to rebuild servers and work stations.
  2. Downtime losses: This amount is typically 5 to 10 times the cost of paying the ransom, and it includes lost productivity and lost revenue opportunities.

In 2019, average ransom payments rose from $12,762 in the first quarter of 2019 to $36,295 in the second quarter, an increase of 184%. However, when you look at public-sector victims, they paid on average more than $300,000. According to Markets Insider, the global costs of ransomware to business are predicted to exceed $11.5 billion annually by 2019.

Join our Cyber Risk Webinar Series as we discuss topics from regulatory risk to cyber attacks.

Downtime: During the first quarter of 2019, downtime due to ransomware attacks average 7.3 days. By the second quarter, the average ticked up to 9.6 days, an alarming rate of increase.

Three of the Most Common Variants of Ransomware

  • Ryuk was developed from older versions of ransomware. It specifically targets enterprises. Since its launch in August 2018, its operator, the Grim Spider crime group, has collected more than $3.7 billion. Ryuk has recently become the most common type of ransomware targeting large enterprises that use distributed networks.
  • Sodinokibi was launched in the spring of 2019. Though not yet as prevalent as Ryuk, it has already infected thousands of businesses through managed security service providers (MSSP). Sodinokibi differs from Ryuk in that it typically hits midsize and smaller business targets— in most cases through a single MSSP. These attacks can cripple both the target company as well as the service provider. For ISPs, Sodinobiki is especially devastating because it puts their entire client base at risk, and therefore their business.
  • Dharma has been on the scene since 2016 and continues to wreak havoc with small and midsize organizations. Typically, Dharma used phishing emails to gain entry. Users are prompted to download a file, at which point the intruder gained entry. A new version of Dharma uses software installation to gains entry. The average ransom for Dharma attacks is nearly $14,000.

To Pay or Not To Pay

Four recent attacks made headlines. Three municipalities decided not to pay the ransom, and one did.

City of Atlanta – In 2018, the city refused to pay a $52,000 Bitcoin ransom demand, but in the end spent over $17 million to recover from the attack. This was one of the most expensive ransomware occurrences yet recorded by a U.S. municipality. According to a news report, “Before the attack, the city received years of warnings about security weaknesses.”

City of Baltimore – In 2019, the city government came under a ransomware attack that brought its computers to a complete stop for a month. On advice from the FBI, the city refused to pay the demand of more than $76,000 in Bitcoin. But, in the end, it cost Baltimore over $18 million to fully recover.

Lake City – In 2019, this Florida suburb of Palm Beach agreed to pay a $460,000 Bitcoin ransom after being attacked by Ryuk. Servers, email, and networks were all involved. After meeting with the FBI and security consultants, the city made the decision to pay rather than incur risks from the loss of emergency services. “City officials reluctantly determined that it would be cheaper and more effective to simply pay off the hackers.”

Colorado Department of Transportation – Colorado Department of Transportation employees spent days offline as security officials investigated the damage done by a ransomware virus that hijacked computer files and demanded payment in bitcoin for their safe return. Six weeks after, the agency is back to 80 percent functionality--at an estimated cost of up to $1.5 million.

On the question of “to pay or not to pay,” responses vary. Lake City opted to pay the ransom. In the case of Atlanta and Baltimore, the decision not to pay resulted in very heavy costs. But in the words of Baltimore mayor Jack Young, “That’s just like rewarding bank robbers for robbing banks.” Some of the best practicesrecommended to help cities prepare include:

  • Investing in cybersecurity and business interruption planning services — Have a an enterprisewide strategy that covers every user, device, and file.
  • Lock down administrative rights and allow data access to those that are required to have it.
  • Stay up to date — Be sure to make software updates to avoid intrusions due to outdated versions.
  • Back up data — Ensure that critical business data is backed up, stored, and recoverable.
  • Do not open questionable attachments — Train employees to avoid downloading attachments without authentication and built-in virus scanning.
  • Install preventative software programs — This includes antivirus software, firewalls and email filters; and keeping them updated.

The FBI and the Council of Mayors

Law enforcement has consistently recommended against paying ransom. After all, paying an extortion demand will only validate the hacker’s business model and perpetuate future attacks. Moreover, there is no guarantee that criminals will live up to their promise to provide a working decryption key. In addition, it is difficult to determine who is getting paid—it could be a terrorist organization that’s being funded for more devastating types of attacks in the future. The Council of Mayors agreed with the position of law enforcement when 225 city mayors recently signed a pledge not to pay.

Transferring Ransomware Risk

Many cybersecurity experts will agree that there is no silver bullet that will prevent all cyberattacks. As a result, the commercial cyber insurance market has evolved along with cyber threats to facilitate options for cyber-risk transfer. These insurance policies can provide indemnification for both first-party direct costs and subsequent third-party liability costs in the aftermath of a cyberattack.

While policy wording can differ among insurance companies, there are common coverages that are found in many cyber insurance policies. These may be especially helpful in transferring financial losses specific to a ransomware attack, including:

  • Cyber Extortion – Cyber insurance policies often cover ransom payments to hackers, should the insured victim decide to pay. They often provide immediate access to cryptocurrency and experienced negotiators who are essential to mitigating the effects of the attack. These negotiators may be able to convince hackers to accept a lesser amount than originally demanded. They may also provide analysis of the hacker’s digital wallets to provide insight into a hacker’s history of providing decryption tools.
  • Business Interruption – The cumulative effect of the encryption of hundreds or thousands of computers, servers, email, and phone systems in one organization can lead to significant costs. The resulting downtime and restoration process may cause severe financial loss, which may be recovered under a cyber insurance policy.
  • Crisis Management – Hackers may change tactics after the initial ransomware attack. Once they have access to networks, they may move laterally and access sensitive information that they can monetize, such as Social Security numbers and financial records. Costs to retain external vendors to investigate and respond to the attack, including IT forensics firms, privacy attorneys, credit monitoring fees, notification, and call center costs may be covered.

In light of the emerging threats posed by sophisticated ransomware attacks, it is imperative that steps are taken to prevent, mitigate, and transfer the risk. Technology-based controls, employee training, and insurance risk transfer mechanisms should all be considered.


Continue reading

Another MSP, Another Ransomware Attack: Hackers Disable Backup Systems

Yet another hacker attack has it an MSP — this time spreading GlobeImposter ransomware across customer servers and networks — “encrypting everything” along the way, according to chatter on Reddit.

It sounds like one MSP and roughly five different customers were impacted, though ChannelE2E has not directly confirmed details of the alleged attacks. Still, Datto Chief Information Security Officer Ryan Weeks has shed some light on the situation. The attacks allegedly involved hackers accessing and disabling backup and disaster recovery appliances. Datto’s InfoSec and Code Red Tech Support teams have been supporting the MSP partner as the attack investigation continues, Weeks said in a statement.

Moreover, Weeks once again called on MSPs to activate two-factor authentication (2FA) as a potential step to block such attacks. Datto and other vendors are gradually mandating 2FA as the MSP industry strives to strengthen its overall defense posture.

Statement From Datto CISO Ryan Weeks

Datto CISO Ryan Weeks

Referring to this specific incident, Weeks posted a prepared comment on Reddit. ChannelE2E confirmed with Datto that the comment is authentic. Among the key points Weeks shared:

“We are still gathering facts on this incident to share with the community. At this time, we know for certain that the attacker accessed the BCDR appliances from the local network successfully on first login attempt. How the local networks were accessed by the attacker is an active line of investigation that is ongoing. When we learn more and establish the facts, and can share them, we will update you.

To significantly increase your resilience to targeted MSP ransom attacks, please follow this previously issued guidance: Most importantly, please enable 2FA for everyone of your employees on all your channel technology solutions and disable local WebUI access on BCDR appliances (portal access only).

We do not tolerate bad outcomes for our partners. In addition to our commitment to deploy required 2FA for Datto RMM after actioning partner feedback, we’re developing new tools and capabilities across our product stack to further reduce the likelihood and/or impact of a successful MSP attack such as this and others.

More than ever, we’re collaborating with other channel vendors and MSPs to pool intelligence that will enable us to better protect you and increase transparency.”

Weeks also noted that Datto and several technology partners are hosting a webcast on September 12 to provide further guidance to MSPs. ChannelE2E noted the growing cross-vendor cooperation on security in this blog.

Hackers Disable MSP Backups: Growing Trend

The attack mentioned above isn’t unique. MSPs in North America, Europe and Australia have suffered hacker attacks that disable backup systems and spread ransomware across end-customer systems, ChannelE2E reported in early August 2019.

In a typical scenario, the ransomware attacks spread from MSP systems to end-customer networks. When the MSP attempts a data restore, the service provider discovers BDR systems were disabled days, weeks or even months before the ransomware attack occurred, sources say. The net result, in some cases: Encrypted MSP and customer systems, and outdated or deleted backups.

In some cases, the backup provider has archived systems (a backup of the backup) to assist the MSP with longer-term recoveries. But even in that scenario, the archived backup may be a bit dated.

Ransomware Attacks Hit Multiple CSPs, MSPs

Ransomware attacks have hit multiple service providers in recent months. Victims include:

The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.

Amid those challenges, the MSP industry could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, cyberattacks and associated fallout, ChannelE2E and MSSP Alert believe.

In response, MSP software providers and their channel partners are increasingly activating two-factor authentication as a means to stop hackers from entering systems.

Moreover, ConnectWise is launching a Technology Solution Provider Information Sharing and Analysis Organization (TSP-ISAO). The goal: Recruit and welcome all companies — including rivals — into an information sharing organization that will raise industry defenses, and thereby benefit all MSPs.





Continue reading

Long Island Schools Hacked; District Forced to Pay $88,000 in Ransom


Hackers held two school districts on Long Island hostage over the summer, forcing one of them to pay $88,000 in cryptocurrency in order retrieve student and staff information before the school year started.

Despite using an anti-virus software and other firewalls for cyber security, the Rockville Centre School District's encrypted files were accessed on July 25 by Ryuk ransomware, which can infiltrate an entire server with one click of a malicious email attachment. 

The district's IT director managed to shut down the computer network the next day and limited damage, according to district officials. They believe the move enabled their insurance carrier to negotiate a lower ransom payment. 

"By finding ways to restore some of our data, the ransom demand went from approximately $176,000 to $88,000,” the district told SC Media.

Cyber security experts like Anita D’amico of Code Dx, a company that provides a vulnerability management system, say the ransom is often the least costly part of the process.

"The longer you dawdle, the higher the price," D'amico said. "They have been in your system and could have infected your system, so you have to cleanse the system."

Rockville Centre School District's bitcoin ransom payment and its insurance's $10,000 deductible was less expensive than the cost to recover from the attack without the decryption keys, the district said.

D'Amico also says that one of the best ways to protect yourself from ransomware attacks is to create back ups of important information and store them separately from the main server. 

The Mineola school district was also attacked by the same virus. But they didn’t have to pay because they had a back up that wasn’t compromised.

The Mineola School District was also attacked by the same virus. But they didn’t have to pay because they had a back up that wasn’t compromised.

Experts say it's also important to educate employees to not open questionable emails and click on links and attachments. Rockville Centre School District Superintendent Dr. William Johnson said they're "working on that right now" and assured parents they're ready for the upcoming school year.

The district also said it is working with federal authorities to make their servers more secure.


Continue reading

When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back


Brian A. Hawkins Googles his name and last employer and winces.

The words that appear are verbs like “fired,” “axed” and “sacked.”

The former information technology director of Lake City, the northern Florida city that was forced to pay out nearly half a million dollars after a ransomware attack this summer, was blamed for the breach, and for the long time it took to recover. But in a new lawsuit, Mr. Hawkins said he had warned the city about its vulnerability long ago — urging the purchase of an expensive, cloud-based backup system that might have averted the need to pay a ransom.

But there was no money. And to those weighing the many competing priorities in the northern Florida city of 12,000 people, purchasing capacity on remote computer servers didn’t seem to rise to the top — at the time. Once the city’s entire computer network crumbled in the space of a few hours, there was an intense round of finger-pointing, and it ended with Mr. Hawkins.

“My name has been blasted all over the media and across the country for weeks,” he said in his first interview with the news media since the attack earlier this summer.

The recent cyberattack in Texas, which crippled the computer systems of nearly two dozen cities simultaneously, has served as another reminder of how outgunned most municipalities are against sophisticated hackers. With cities from Florida to Maryland grappling with an onslaught of ransomware attacks that are costing millions, the harsh reality is that it is often one- or two-person information technology offices with meager budgets and strict spending rules that are the main lines of defense.

They are often up against organized criminals and nation-state actors who know how to take advantage of their weaknesses, and who are able to refine their weapons with the hundreds of thousands of dollars in ransoms being paid by vulnerable cities.

The lawsuit Mr. Hawkins filed in Columbia County state court on Aug. 9 raises the inevitable question of liability: When hackers wipe out a city’s computer system, who is to blame?

“There is a push for accountability, which means firing people. It almost never happens,” said James A. Lewis, a researcher at the Center for Strategic and International Studies. “A lot of times ransomware exploits a vulnerability that should have been fixed. You need to look: Did somebody slip up on the job?”

Two high level I.T. employees were fired after an attack this year in Baltimore, but city officials denied that the dismissals were related, The Baltimore Sun reported. No one in the Texas city of Laredo was disciplined after an attack there. A spokesman for the Texas Department of Information Resources declined to comment, citing the pending investigation.

The troubles in Lake City, about an hour west of Jacksonville, began when several city employees reported that they had fallen for a phishing attack.

Employees at the city clerk’s office, water plant and airport had clicked on an email purportedly from one of their contacts that said something like, “you have an invoice ready.” It was personalized and looked legitimate, but it was really a spear phishing attack, using what is known as Ryuk “triple threat” ransomware.

One of the emails was cleverly disguised: It even made reference to a prior conversation the city employee had had via email, Mr. Hawkins recalled. The email had bypassed spam filters and antivirus software, which Mr. Hawkins said were both up-to-date.

“They were super crafty,” Mr. Hawkins said.

Mr. Hawkins took the city’s network offline, re-imaged the computers and took other normal precautions. But deep down, he knew that trouble could be looming if anyone else had clicked on the suspicious email without reporting it. The next sign of trouble emerged a few weeks later, on a weekend in early June, when the email system began running slowly.

Nobody works on the weekends at City Hall. So Mr. Hawkins waited until Monday morning to tackle the problem, but by then, it was too late. All of the city’s files were encrypted, and a note had been left on the city’s servers that read: “How do you want to open this type of file? Balance of shadow universe.”

Phones were down, email was out of commission, computers did not work and even the photocopiers were inoperable.

The hackers who had left the note subsequently asked for exorbitant sums of money to release the city’s data.


Continue reading

How insurance companies are fueling a rise in ransomware attacks


Insurers prefer to pay the ransom. Why? ProPublica says attacks are good for business.

On June 24, the mayor and council of Lake City, Fla., gathered in an emergency session to decide how to resolve a ransomware attack that had locked the city's computer files for the preceding fortnight. Following the Pledge of Allegiance, Mayor Stephen Witt led an invocation. "Our heavenly father," Witt said, "we ask for your guidance today, that we do what's best for our city and our community."

Witt and the council members also sought guidance from City Manager Joseph Helfenberger. He recommended that the city allow its cyber insurer, Beazley, an underwriter at Lloyd's of London, to pay the ransom of 42 bitcoin, then worth about $460,000. Lake City, which was covered for ransomware under its cyber-insurance policy, would only be responsible for a $10,000 deductible. In exchange for the ransom, the hacker would provide a key to unlock the files.

"If this process works, it would save the city substantially in both time and money," Helfenberger told them.

Without asking questions or deliberating, the mayor and the council unanimously approved paying the ransom. The six-figure payment, one of several that US cities have handed over to hackers in recent months to retrieve files, made national headlines.

Left unmentioned in Helfenberger's briefing was that the city's IT staff, together with an outside vendor, had been pursuing an alternative approach. Since the attack, they had been attempting to recover backup files that were deleted during the incident. On Beazley's recommendation, the city chose to pay the ransom because the cost of a prolonged recovery from backups would have exceeded its $1 million coverage limit, and because it wanted to resume normal services as quickly as possible.

"Our insurance company made [the decision] for us," city spokesman Michael Lee, a sergeant in the Lake City Police Department, said. "At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom."

The mayor, Witt, said in an interview that he was aware of the efforts to recover backup files but preferred to have the insurer pay the ransom because it was less expensive for the city. "We pay a $10,000 deductible, and we get back to business, hopefully," he said. "Or we go, 'No, we're not going to do that,' then we spend money we don't have to just get back up and running. And so to me, it wasn't a pleasant decision, but it was the only decision."

Across America

Ransomware is proliferating across America, disabling computer systems of corporations, city governments, schools and police departments. This month, attackers seeking millions of dollars encrypted the files of 22 Texas municipalities. Overlooked in the ransomware spree is the role of an industry that is both fueling and benefiting from it: insurance. In recent years, cyber insurance sold by domestic and foreign companies has grown into an estimated $7 billion to $8 billion-a-year market in the US alone, according to Fred Eslami, an associate director at AM Best, a credit rating agency that focuses on the insurance industry. While insurers do not release information about ransom payments, ProPublica has found that they often accommodate attackers' demands, even when alternatives such as saved backup files may be available.

The FBI and security researchers say paying ransoms contributes to the profitability and spread of cybercrime and in some cases may ultimately be funding terrorist regimes. But for insurers, it makes financial sense, industry insiders said. It holds down claim costs by avoiding expenses such as covering lost revenue from snarled services and ongoing fees for consultants aiding in data recovery. And, by rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.

"The onus isn't on the insurance company to stop the criminal, that's not their mission. Their objective is to help you get back to business. But it does beg the question, when you pay out to these criminals, what happens in the future?" said Loretta Worters, spokeswoman for the Insurance Information Institute, a nonprofit industry group based in New York. Attackers "see the deep pockets. You've got the insurance industry that's going to pay out, this is great."

Mitigate losses

A spokesperson for Lloyd's, which underwrites about one-third of the global cyber-insurance market, said that coverage is designed to mitigate losses and protect against future attacks, and that victims decide whether to pay ransoms. "Coverage is likely to include, in the event of an attack, access to experts who will help repair the damage caused by any cyberattack and ensure any weaknesses in a company's cyberprotection are eliminated," the spokesperson said. "A decision whether to pay a ransom will fall to the company or individual that has been attacked." Beazley declined comment.

Fabian Wosar, chief technology officer for anti-virus provider Emsisoft, said he recently consulted for one US corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company's insurer pressured it to pay the ransom, he said. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required, Wosar said. The company agreed to have the insurer pay the approximately $100,000 ransom. But the decryptor obtained from the attacker in return didn't work properly and Wosar was called in to fix it, which he did. He declined to identify the client and the insurer, which also covered his services.

"Paying the ransom was a lot cheaper for the insurer," he said. "Cyber insurance is what's keeping ransomware alive today. It's a perverted relationship. They will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise."

Worters, the industry spokeswoman, said ransom payments aren't the only example of insurers saving money by enriching criminals. For instance, the companies may pay fraudulent claims—for example, from a policyholder who sets a car on fire to collect auto insurance—when it's cheaper than pursuing criminal charges. "You don't want to perpetuate people committing fraud," she said. "But there are some times, quite honestly, when companies say: 'This fraud is not a ton of money. We are better off paying this.' ... It's much like the ransomware, where you're paying all these experts and lawyers, and it becomes this huge thing."

“Minimize losses”

Insurers approve or recommend paying a ransom when doing so is likely to minimize costs by restoring operations quickly, regulators said. As in Lake City, recovering files from backups can be arduous and time-consuming, potentially leaving insurers on the hook for costs ranging from employee overtime to crisis management public relations efforts, they said.

"They're going to look at their overall claim and dollar exposure and try to minimize their losses," said Eric Nordman, a former director of the regulatory services division of the National Association of Insurance Commissioners, or NAIC, the organization of state insurance regulators. "If it's more expeditious to pay the ransom and get the key to unlock it, then that's what they'll do."

As insurance companies have approved six- and seven-figure ransom payments over the past year, criminals' demands have climbed. The average ransom payment among clients of Coveware, a Connecticut firm that specializes in ransomware cases, is about $36,000, according to its quarterly report released in July, up sixfold from last October. Josh Zelonis, a principal analyst for the Massachusetts-based research company Forrester, said the increase in payments by cyber insurers has correlated with a resurgence in ransomware after it had started to fall out of favor in the criminal world about two years ago.

One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting "insurance coverage relating to cybersecurity incidents."

“They’re going to ask for more”

Even when the attackers don't know that insurers are footing the bill, the repeated capitulations to their demands give them confidence to ask for ever-higher sums, said Thomas Hofmann, vice president of intelligence at Flashpoint, a cyber-risk intelligence firm that works with ransomware victims.

Ransom demands used to be "a lot less," said Worters, the industry spokeswoman. But if hackers think they can get more, "they're going to ask for more. So that's what's happening. ... That's certainly a concern."

In the past year, dozens of public entities in the US have been paralyzed by ransomware. Many have paid the ransoms, either from their own funds or through insurance, but others have refused on the grounds that it's immoral to reward criminals. Rather than pay a $76,000 ransom in May, the city of Baltimore—which did not have cyber insurance—sacrificed more than $5.3 million to date in recovery expenses, a spokesman for the mayor said this month. Similarly, Atlanta, which did have a cyber policy, spurned a $51,000 ransom demand last year and has spent about $8.5 million responding to the attack and recovering files, a spokesman said this month. Spurred by those and other cities, the US Conference of Mayors adopted a resolution this summer not to pay ransoms.

Still, many public agencies are delighted to have their insurers cover ransoms, especially when the ransomware has also encrypted backup files. Johannesburg-Lewiston Area Schools, a school district in Michigan, faced that predicament after being attacked in October. Beazley, the insurer handling the claim, helped the district conduct a cost-benefit analysis, which found that paying a ransom was preferable to rebuilding the systems from scratch, said Superintendent Kathleen Xenakis-Makowski.

"They sat down with our technology director and said, 'This is what's affected, and this is what it would take to re-create,'" said Xenakis-Makowski, who has since spoken at conferences for school officials about the importance of having cyber insurance. She said the district did not discuss the ransom decision publicly at the time in part to avoid a prolonged debate over the ethics of paying. "There's just certain things you have to do to make things work," she said.

Ransomware is everywhere

Ransomware is one of the most common cybercrimes in the world. Although it is often cast as a foreign problem, because hacks tend to originate from countries such as Russia and Iran, ProPublica has found that American industries have fostered its proliferation. ProPublica reported in May on two ransomware data recovery firms that purported to use their own technology to disable ransomware but in reality often just paid the attackers. One of the firms, Proven Data, of Elmsford, New York, tells victims on its website that insurance is likely to cover the cost of ransomware recovery.

Lloyd's of London, the world's largest specialty insurance market, said it pioneered the first cyber liability policy in 1999. Today, it offers cyber coverage through 74 syndicates—formed by one or more Lloyd's members such as Beazley joining together—that provide capital and accept and spread risk. Eighty percent of the cyber insurance written at Lloyd's is for entities based in the US The Lloyd's market is famous for insuring complex, high-risk, and unusual exposures, such as climate-change consequences, Arctic explorers and Bruce Springsteen's voice.

Many insurers were initially reluctant to cover cyber disasters, in part because of the lack of reliable actuarial data. When they protect customers against traditional risks such as fires, floods and auto accidents, they price policies based on authoritative information from national and industry sources. But, as Lloyd's noted in a 2017 report, "there are no equivalent sources for cyber-risk," and the data used to set premiums is collected from the internet. Such publicly available data is likely to underestimate the potential financial impact of ransomware for an insurer. According to a report by global consulting firm PwC, both insurers and victimized companies are reluctant to disclose breaches because of concerns over loss of competitive advantage or reputational damage.

Insurance is everywhere, too

Despite the uncertainty over pricing, dozens of carriers eventually followed Lloyd's in embracing cyber coverage. Other lines of insurance are expected to shrink in the coming decades, said Nordman, the former regulator. Self-driving cars, for example, are expected to lead to significantly fewer car accidents and a corresponding drop in premiums, according to estimates. Insurers are seeking new areas of opportunity, and "cyber is one of the small number of lines that is actually growing," Nordman said.

Driven partly by the spread of ransomware, the cyber insurance market has grown rapidly. Between 2015 and 2017, total US cyber premiums written by insurers that reported to the NAIC doubled to an estimated $3.1 billion, according to the most recent data available.

Cyber policies have been more profitable for insurers than other lines of insurance. The loss ratio for US cyber policies was about 35% in 2018, according to a report by Aon, a London-based professional services firm. In other words, for every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims. That compares to a loss ratio of about 62% across all property and casualty insurance, according to data compiled by the NAIC (PDF) of insurers that report to them. Besides ransomware, cyber insurance frequently covers costs for claims related to data breaches, identity theft and electronic financial scams.

During the underwriting process, insurers typically inquire about a prospective policyholder's cyber security, such as the strength of its firewall or the viability of its backup files, Nordman said. If they believe the organization's defenses are inadequate, they might decline to write a policy or charge more for it, he said. North Dakota Insurance Commissioner Jon Godfread, chairman of the NAIC's innovation and technology task force, said some insurers suggest prospective policyholders hire outside firms to conduct "cyber audits" as a "risk mitigation tool" aimed to prevent attacks—and claims—by strengthening security.

"Ultimately, you're going to see that prevention of the ransomware attack is likely going to come from the insurance carrier side," Godfread said. "If they can prevent it, they don't have to pay out a claim, it's better for everybody."

Not all cyber insurance policies cover ransom payments. After a ransomware attack on Jackson County, Georgia, last March, the county billed insurance for credit monitoring services and an attorney but had to pay the ransom of about $400,000, County Manager Kevin Poe said. Other victims have struggled to get insurers to pay cyber-related claims. Food company Mondelez International and pharmaceutical company Merck sued insurers last year in state courts after the carriers refused to reimburse costs associated with damage from NotPetya malware. The insurers cited "hostile or warlike action" or "act of war" exclusions because the malware was linked to the Russian military. The cases are pending.

“Vicious circle”

The proliferation of cyber insurers willing to accommodate ransom demands has fostered an industry of data recovery and incident response firms that insurers hire to investigate attacks and negotiate with and pay hackers. This year, two FBI officials who recently retired from the bureau opened an incident response firm in Connecticut. The firm, The Aggeris Group, says on its website that it offers "an expedient response by providing cyber extortion negotiation services and support recovery from a ransomware attack."

Ramarcus Baylor, a principal consultant for The Crypsis Group, a Virginia incident response firm, said he recently worked with two companies hit by ransomware. Although both clients had backup systems, insurers promised to cover the six-figure ransom payments rather than spend several days assessing whether the backups were working. Losing money every day the systems were down, the clients accepted the offer, he said.

Crypsis CEO Bret Padres said his company gets many of its clients from insurance referrals. There's "really good money in ransomware" for the cyberattacker, recovery experts and insurers, he said. Routine ransom payments have created a "vicious circle," he said. "It's a hard cycle to break because everyone involved profits: We do, the insurance carriers do, the attackers do."

Chris Loehr, executive vice president of Texas-based Solis Security, said there are "a lot of times" when backups are available but clients still pay ransoms. Everyone from the victim to the insurer wants the ransom paid and systems restored as fast as possible, Loehr said.

"They figure out that it's going to take a month to restore from the cloud, and so even though they have the data backed up," paying a ransom to obtain a decryption key is faster, he said.

"Let's get it negotiated very quickly, let's just get the keys, and get the customer decrypted to minimize business interruption loss," he continued. "It makes the client happy, it makes the attorneys happy, it makes the insurance happy."

“It sucks... but that’s what you gotta do”

If clients morally oppose ransom payments, Loehr said, he reminds them where their financial interests lie, and of the high stakes for their businesses and employees. "I'll ask, 'The situation you're in, how long can you go on like this?'" he said. "They'll say, 'Well, not for long.' Insurance is only going to cover you for up to X amount of dollars, which gets burned up fast."

"I know it sucks having to pay off assholes, but that's what you gotta do," he said. "And they're like, 'Yeah, OK, let's get it done.' You gotta kind of take charge and tell them, 'This is the way it's going to be or you're dead in the water.'"

Lloyd's-backed CFC, a specialist insurance provider based in London, uses Solis for some of its US clients hit by ransomware. Graeme Newman, chief innovation officer at CFC, said "we work relentlessly" to help victims improve their backup security. "Our primary objective is always to get our clients back up and running as quickly as possible," he said. "We would never recommend that our clients pay ransoms. This would only ever be a very final course of action, and any decision to do so would be taken by our clients, not us as an insurance company."

As ransomware has burgeoned, the incident response division of Solis has "taken off like a rocket," Loehr said. Loehr's need for a reliable way to pay ransoms, which typically are transacted in digital currencies such as Bitcoin, spawned Sentinel Crypto, a Florida-based money services business managed by his friend, Wesley Spencer. Sentinel's business is paying ransoms on behalf of clients whose insurers reimburse them, Loehr and Spencer said.

New York-based Flashpoint also pays ransoms for insurance companies. Hofmann, the vice president, said insurers typically give policyholders a toll-free number to dial as soon as they realize they've been hit. The number connects to a lawyer who provides a list of incident response firms and other contractors. Insurers tightly control expenses, approving or denying coverage for the recovery efforts advised by the vendors they suggest.

"Carriers are absolutely involved in the decision making," Hofmann said. On both sides of the attack, "insurance is going to transform this entire market," he said.


On June 10, Lake City government officials noticed they couldn't make calls or send emails. IT staff then discovered encrypted files on the city's servers and disconnected the infected servers from the internet. The city soon learned it was struck by Ryuk ransomware. Over the past year, unknown attackers using the Ryuk strain have besieged small municipalities and technology and logistics companies, demanding ransoms up to $5 million, according to the FBI.

Shortly after realizing it had been attacked, Lake City contacted the Florida League of Cities, which provides insurance for more than 550 public entities in the state. Beazley is the league's reinsurer for cyber coverage, and they share the risk. The league declined to comment.

Initially, the city had hoped to restore its systems without paying a ransom. IT staff was "plugging along" and had taken server drives to a local vendor who'd had "moderate success at getting the stuff off of it," Lee said. However, the process was slow and more challenging than anticipated, he said.

As the local technicians worked on the backups, Beazley requested a sample encrypted file and the ransom note so its approved vendor, Coveware, could open negotiations with the hackers, said Steve Roberts, Lake City's director of risk management. The initial ransom demand was 86 bitcoin, or about $700,000 at the time, Coveware CEO Bill Siegel said. "Beazley was not happy with it—it was way too high," Roberts said. "So [Coveware] started negotiations with the perps and got it down to the 42 bitcoin. Insurance stood by with the final negotiation amount, waiting for our decision."

Lee said Lake City may have been able to achieve a "majority recovery" of its files without paying the ransom, but it probably would have cost "three times as much money trying to get there." The city fired its IT director, Brian Hawkins, in the midst of the recovery efforts. Hawkins, who is suing the city, said in an interview posted online by his new employer that he was made "the scapegoat" for the city's unpreparedness. The "recovery process on the files was taking a long time" and "the lengthy process was a major factor in paying the ransom," he said in the interview.

“They know the cost-benefit of that”

On June 25, the day after the council meeting, the city said in a press release that while its backup recovery efforts "were initially successful, many systems were determined to be unrecoverable." Lake City fronted the ransom amount to Coveware, which converted the money to bitcoin, paid the attackers and received a fee for its services. The Florida League of Cities reimbursed the city, Roberts said.

Lee acknowledged that paying ransoms spurs more ransomware attacks. But as cyber insurance becomes ubiquitous, he said, he trusts the industry's judgment.

"The insurer is the one who is going to get hit with most of this if it continues," he said. "And if they're the ones deciding it's still better to pay out, knowing that means they're more likely to have to do it again—if they still find that it's the financially correct decision—it's kind of hard to argue with them because they know the cost-benefit of that. I have a hard time saying it's the right decision, but maybe it makes sense with a certain perspective."


Continue reading

Can VMware become a leading cybersecurity vendor?


VMware's recent acquisition of Carbon Black gives the company a strong security foundation to build on.

When you think about VMware and cybersecurity, two products have always stood out. NSX, which has evolved into a common micro-segmentation tool for east/west traffic within ESXi, and AppDefense, which monitors applications, determines “normal” behavior, and detects anomalies.

Now, VMware has other security capabilities, but few cybersecurity pros know a thing about them. Why? Because despite its strong technology, VMware has never established itself as a cybersecurity vendor. Many VMware salespeople have a cursory understanding of the company’s security capabilities, while partners often complain that beyond its Palo Alto, California, headquarters, VMware isn’t proficient at driving security go-to-market programs with channel partners or its global sales organization.

To its credit, VMWare recognized two things:

  1. Its future hybrid cloud leadership needed a much greater security presence, and
  2. It couldn’t get there on its own.

For those reasons, VMware acquired Carbon Black last week. Yes, this acquisition can help VMware address its historical cybersecurity shortcomings, but Carbon Black has the potential to contribute much more.

Carbon Black gives VMware the potential to become a cybersecurity leader

The combination of VMware and Carbon Black can:

  • Provide a security bundle for Workspace One. VMware’s “intelligence-drive workspace platform” offered security features for identity and access management but lacked any native device/virtual device security safeguards. Armed with Carbon Black, VMware can provide an integrated secure workspace – similar to what Microsoft does with ATP.  Beyond endpoints, Carbon Black can also be bundled with core ESX.
  • Bring VMware into the growing market for threat detection and response. According to our research at ESG, 76% of organizations believe that threat detection and response is more difficult today than it was two years ago due to an increase in sophisticated/targeted attacks, an increasing cybersecurity workload, and a growing attack surface. To address this, 89% of organizations plan to increase spending in this area – 47% will increase threat detection and response spending "significantly." Threat detection and response really depends upon five security technologies: EDR, NTA, file sandboxing, threat intelligence, and security analytics. With Carbon Black, its recent acquisition of Veriflow, and its vRealize product, VMware now covers the whole threat detection and response enchilada. Oh, and VMware also gets Carbon Black’s managed services for the growing population of customers who need help with threat detection/response. 
  • Further complement its hybrid cloud strategy with security. In its quest to anchor hybrid cloud infrastructure, VMware recently purchased Intrinsic, a company focused on securing serverless workloads. While Carbon Black doesn’t currently support cloud workload security, these capabilities should become part of the offering by early 2020. When this development is completed, VMware will offer customers security controls for physical endpoints and servers, virtual endpoints and servers, and cloud-based workloads of all types (i.e. virtual servers, containers, serverless, etc.). 

Aside from technical assets, Carbon Black has a global security-savvy salesforce and strong partner program execution. These capabilities further address VMware’s historical security weaknesses.

Other acquistions that would help VMware

While VMware has its checkbook out, it could further bolster its security stance with a few additional acquisitions in:

  • Network traffic analytics (NTA). ESG research indicates that 43% of organizations consider NTA the "first line of defense" for threat detection and response. Rather than building security capabilities into vRealize, perhaps VMware should buy a pure-play security expert such as Corelight, DarkTrace, or Vectra Networks.
  • Security analytics and operations. This would be a big move for VMware, but it’s certainly demonstrating bold behavior. Could Exabeam, Jask, or SumoLogic be in the cards?

Regardless of future moves, VMware just took a major step toward becoming a cybersecurity leader while shaking up the security industry. My learned colleague Dave Gruber and I will be watching and reporting on further progress and developments. 

Continue reading

Importance of Patching


You’re probably no stranger to those little pop-up windows. They tell you software updates are available for your computer, laptop, tablet, or mobile device.

You might be tempted to click on that “Remind me later” button. Don’t do it. Or, at least don’t put off updating your software for long.

Software updates are important to your digital safety and cyber security. The sooner you update, the sooner you’ll feel confident your device is more secure — until the next update reminder.

Why are software updates so important? There are a lot of reasons. Here are 5 that show why it’s important to update software regularly.

  1. Software updates do a lot of things

Software updates offer plenty of benefits. It’s all about revisions. These might include repairing security holes that have been discovered and fixing or removing computer bugs. Updates can add new features to your devices and remove outdated ones.

While you’re at it, it’s a good idea to make sure your operating system is running the latest version.

  1. Updates help patch security flaws

Hackers love security flaws, also known as software vulnerabilities. A software vulnerability is a security hole or weakness found in a software program or operating system. Hackers can take advantage of the weakness by writing code to target the vulnerability. The code is packaged into malware — short for malicious software.

An exploit sometimes can infect your computer with no action on your part other than viewing a rogue website, opening a compromised message, or playing infected media.

What happens next? The malware can steal data saved on your device or allow the attacker to gain control over your computer and encrypt your files.

Software updates often include software patches. They cover the security holes to keep hackers out.

  1. Software updates help protect your data

You probably keep a lot of documents and personal information on your devices. Your personally identifiable information — from emails to bank account information — is valuable to cybercriminals.

They can use it to commit crimes in your name or sell it on the dark web to enable others to commit crimes. If it’s a ransomware attack, they might encrypt your data. You might have to pay a ransom for an encryption key to get it back. Or, worse, you might pay a ransom and not get it back.

Updating your software and operating systems helps keep hackers out.

  1. It’s not all about you

OK, cyber security is mostly about you, but you’ve got other people to think about, too. If your device gets a virus, you could pass it on to your friends, family, and business associates. That’s why you want to keep your software and systems updated.

A trusted security program such as Norton 360TM can help keep your devices secure. And that can potentially help all those people you interact with online. But it’s also important to know anti-virus protection isn’t enough to protect your devices against all cyberthreats

  1. You deserve the latest and greatest

Updates not only patch security holes, they can also add new features and improve existing ones. You don’t want to fall behind the times, right?

In that way, software updates really are all about you. Your software program may get a new shot of stability — no more crashing. Or an update might boost program performance — more speed. You deserve no less.

You could ignore those reminders to update your software, but you might be missing out on a lot, starting with your cyber security.

Another option? If you’re still not keen on clicking “Update now,” you may be able to configure your devices to update automatically. If so, your problem is solved.


Continue reading

Google and Dell team up on the first Chromebooks made for business


The next time you get a laptop from your company's IT department, you might be getting a Chromebook. Not that you couldn't already get a Chromebook from your office, but these offer extra security and organizational features that might leave IT professionals more reassured. The Dell Latitude 5400 Chromebook Enterprise and Dell Latitude 5300 2-in-1 Chromebook Enterprise were born from a partnership between Dell and Google, though the latter also has some updates around Chrome OS enterprise to share today. Unwieldy names aside, these new machines are based on existing models of Dell's Latitude laptops, except they run Chrome OS. So don't be surprised if you find them familiar.

Aside from the Chrome logo on the keyboard and the OS they're running, the two new laptops look nearly identical to their existing Latitude stablemates. They share a similar bland, black design that you'd expect from a company-issued machine -- like the BlackBerries of laptops. Like most work laptops, these Chromebooks have comfortable keyboards, though using a Chrome-optimized layout so you'll find a Language button in place of a Windows Start key. The 5300 2-in-1 and 5400 clamshell sport 13-inch and 14-inch screens respectively, both running at Full HD.

Gallery: Dell Latitude Chromebook Enterprise hands-on | 12 Photos

Both Latitudes will pack up to 8th-generation Intel Core i7 CPUs, and will be the first Chromebooks to offer up to 32GB of DDR4 RAM and enterprise-class SSDs of up to 1TB. They can also be configured with LTE radios for connections at up to 450 Mbps on the go. These guts may sound a little overkill for Chromebooks, but seem pretty par for the course, as far as typical work laptops go.

What makes these different from the existing Chromebooks that your organization can already hand out is the behind-the-scenes stuff catering for your IT departments' needs.

Businesses currently using Chromebooks can add the new Chrome Enterprise Upgrade and make use of the new Google Admin console for Chrome OS, which Google said provides 10-times faster load times. This will allow admins to enable a managed Linux environment on Chromebooks, which will let them grant access to specific users as well as offer VPN support for internal files. These are all backed by Dell's Unified Workspace program that IT administrators can use to oversee their entire organizations' fleet of devices across different operating systems and from the cloud.

Specifically on the new Latitude enterprise Chromebooks, IT professionals will appreciate that they come with year-round 24/7 Dell ProSupport as well as Chrome Enterprise support. They'll also be able to conveniently add G Suite and Drive Enterprise via Dell, which will take on the task of reselling the Google service. This will let employees use apps like Docs, Sheets and Slides natively on the Chromebooks without worrying about remaining online.

The Dell Latitude Chromebook Enterprise laptops are available to order from August 27th, starting at $699 for the 5400 and $819 for the 5300 2-in-1. Not that this should matter to you, anyway, since it's not like you'd be the one going out to buy them (unless you're in charge of your organization's laptop orders). But if you're a hardcore Chrome OS fan who's been wanting a company-issued Chromebook or your company's IT administrator, this could be exciting news for you.

And for the rest of us, if nothing else, at least there'll more options to choose from the next time we're upgrading our work laptops.

Continue reading

Patch Management: Why it’s Important for CyberSecurity


A good patch management strategy is commonly listed as one of the basics of an organizational cybersecurity strategy. In this post, we discuss the importance of strong patch management and how to implement a good patch management strategy.

What Is Patch Management?

All software has bugs. Whether these are caused by design flaws or implementation flaws, the sheer amount of code in systems that we use every day is bound to contain errors. In his book Code Complete, Steve McConnell explores the average rate of errors in programming and estimates that the average program will have between 15 and 50 errors for every thousand lines of code. For reference, the average iPhone app has over 20,000 lines of code or an estimated 300-1000 errors, some of which are exploitable vulnerabilities.

Patches are software or firmware updates issued by a program’s developer designed to fix identified flaws in a program. Typically, this occurs after the flaw has been identified as an exploitable vulnerability, meaning that applying these patches is important to the security of the software.

Why Don’t Companies Patch their Software?

Companies may not regularly patch their systems for a number of reasons. A lack of technical staff can make “updating” a little scary to those without a technical background.  Undermanned IT staff can become busy with problems perceived to be “more important”. Most notably, is that some updates can cause performance issues or “break stuff” and thus are often put off rather than dealing with the complications associated with updating.

Regardless of the reasons why an organization may procrastinate when it comes to patching, it’s a critical process that needs to be in place.  Spending 30 minutes to a few hours in patching can save hundreds of thousands of dollars in the damage and hundreds of hours in recovery from a problem caused by a vulnerability or software failure.

Why Is Patching Software Important?

Patches are typically issued after an exploitable vulnerability has been discovered by the community or disclosed by the originating vendor for a piece of software or firmware. After a vulnerability is acknowledged, it is not uncommon for malicious actors to try to exploit it within the window between learning about it from its public disclosure and when the majority of the public have applied patches. Making this window as small as possible is important for organizational cybersecurity.

The Equifax data breach is an example of the dangers of a poor patch management strategy. As many as 143 million US customers had their personal data exposed in the breach. The cause of the breach was a failure to patch a known vulnerability in Apache Struts. A patch for the vulnerability had been available for two months before Equifax’s breach. Hackers had been exploiting the vulnerability starting just days after the patch was released, demonstrating that failure to patch endangered an organization. Equifax’s poor patch management policies opened it up to one of the most significant breaches in history.

Implementing a Good Patch Management Strategy

A good patch management strategy ensures that patches are applied in a timely manner and will not negatively affect operations. This breaks down into two main components: patch testing and patch application.

Patches are designed to improve the system or software; however, the developer cannot test against every possible use case and build environment. Depending on the specifics of your organizational network, some patches may break functionality, meaning that testing is vital before deployment. Testing should be performed in an isolated test environment, ideally a virtualized mirror of your production environment. By testing in an environment identical to production, it’s possible to identify and correct potential issues before they affect production systems.

Once testing is complete, patches should be deployed as soon as possible. While it may be feasible to do this manually in small environments, an automated patch application process is generally a better idea. Automation ensures that patches are deployed as quickly as possible and consistently applied across the network. The reduced workload on IT staff allows them to respond to specific patching issues quickly.

Patch Management is Vital to Security

Software developers commonly issue patches to fix vulnerabilities in their software. Patch testing and deployment may seem like a low priority next to monitoring and incident handling; however, it is vital to organizational cybersecurity.

The deployment of a patch creates the necessary evil of notifying malicious actors of a potential vulnerability, and they commonly seize the opportunity to search for and exploit vulnerable systems. By quickly testing and deploying patches, an organization can minimize the probability of a data breach or regulatory non-compliance due to unpatched software.



Continue reading