in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2016 - Posts

  • Cloud Services: Will It Be There When You Need It?

    How much should you (or can you) trust the cloud to be there when you need it? Last week, the top US internet sites went dark, on and off, for a couple of hours or so due to a historically unprecedented denial of service attack (DDoS). Over the past week, we've learnt that the assault was effected by millions of semi-smart devices, namely "internet of things" devices (IoT) such as webcams.
    The DDoS attack saw many top sites go down: Twitter, Amazon, Netflix, Spotify, Tumblr, Etsy, Pinterest, AirBnB, Reddit, Box, and many others, a veritable list of who's who on the web.
    As digital evidence is unearthed and collected, chatter has turned towards preventing future attacks. Applying an acceptable level of security on IoT, for example, is being suggested as part of the solution. But, such a move will take time. In the meanwhile, one should be asking a different question: how often could we experience similar attacks while people are working on shoring up security? And what does this mean for a user of the cloud and its services?  

    Mo' Traffic, Mo' Problems

    Remember how people had doubts about the cloud? That it wouldn't work… despite the fact that the cloud is nothing but finally crediting the underlying ways of the internet, so it was already "working?" Then it just grew and grew and grew – because, frankly, how could it not; the cloud is, at its core, servers connected to the internet with convenience baked right in – and now it's just embedded into people's lives. The fact that the world sat up and took notice of this latest attack hit the point home, that the cloud is integral in our lives, more so than any financial or network statistics you may have seen.
    If you think about it, this is not the first time cloud services – or services that rely on the cloud – have been at the center of problems and controversy. But, we have reached a point where limited access to the cloud significantly affects our jobs and lives. It's not just about being unable to binge on marathon sessions of your favorite shows on Netflix (if they have it in your geocode, that is).
    For example, many individuals and businesses make use of Dropbox and other cloud storage services. A DDoS attack on such companies that lasts for hours (dare I say days?) could be disastrous. What if the final draft of a contract was stored in that one Dropbox account, and couldn't be accessed in time for the deadline, for example?
    Inaccessibility for more than a few hours sounds impossible, but the government of Turkey unexpectedly blocked wholesale access to Dropbox as well as other cloud-based storage services. As far as I can tell, Turkey hasn't lifted the ban. We're talking confirmed weeks here, possibly months on end.
    Lack of access is not the only problem, though. It turns out that cloud services can be riddled with malware, or that sometimes things just don't work as they're supposed to. For example, one very established company has been inadvertently deleting Mac users' data because of a bug.

    Mo' Traffic, Mo' Problems 2

    It should also be noted that even without a crippling attack that slows down traffic to a trickle, companies like Dropbox have other worries. Earlier this year, Dropbox announced that 68 million usernames and passwords had been compromised years ago (the hack itself was made public in 2012, but not that the passwords were stolen, which was a recent discovery).
    At the heart of the data breach: a Dropbox engineer who had re-used a password.
    Clients who took comfort in the cloud storage company's security features must have been nonplussed. After all, this is a company whose services are frequently used by the business community because of the convenience and security it provides.
    The ability to add storage capacity as needed, when needed, combined with its accessibility – anywhere where you can reach the cloud – would have been moot if Dropbox hadn't also encrypted each account's contents (that promise, of course, has courted controversy in the past). Remember, the iPhone and Android smartphones only began to replace Blackberries in the workplace en masse once acceptable security was featured on their devices.
    Customers thought that documents were safe thanks to the encryption used to secure each Dropbox account, and it could potentially have been undone by their own passwords.
    At the same time, it should be noted that nobody is immune from data breaches, not even the NSA and the CIA, arguably the experts in the field of data security. If they can't do it – with their billions of dollars in funding from the government, practically an uninterruptible financial stream – what are the chances of companies that have to raise the funding for their operations?
    (Incidentally, this is why it's a good idea to encrypt any sensitive files before uploading them into cloud storage, even if it's secured. Doing so takes care of a number of past and present criticisms that were directed at Dropbox's security practices and policies, including the unforeseen event of a senior engineer's password getting compromised).  

    Going Back to Basics

    Now that the cloud has become entrenched in our lives, cracks are beginning to show in its underpinnings.
    Most of these are expected, just like hairline fractures and some settling are expected in the foundations of mega-tall skyscrapers. Over the past couple of years, we've increasingly witnessed how information stored in the cloud is ripe for hacking. The cloud is an extension of the internet, which was conceived as an open medium of communication, befitting its origin in research and academia. Better security is being developed and deployed to secure the internet, with each scandal and data breach working as a further impetus.
    Security is for naught, however, if anyone can get the keys to the door, which is basically what happened at Dropbox (the whole lot of the 68 million creds can be freely downloaded, and at one point was being sold for no more than $1500). There is a limit to what Dropbox and other companies can do, however. One of the basic tenets of security is layering and distribution: don't leave all your keys in the same place, for example, if you will.
    If you're using cloud services (and rest assured that the word "if" will disappear as time marches on), it makes sense not only to use the provided security features, but to use one that is under your – not the cloud service provider's – control. For cloud storage, it could very well be the use of a separate file encryption solution as well as proper data backups.  

     

    Related Articles and Sites:

    https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
    https://www.troyhunt.com/the-dropbox-hack-is-real/ https://techcrunch.com/2016/08/30/dropbox-employees-password-reuse-led-to-theft-of-60m-user-credentials/
    https://www.wired.com/2016/08/hack-brief-four-year-old-dropbox-hack-exposed-68-million-peoples-data/
     
  • California Accountants Hacked To File Fraudulent Tax Returns

    Time has shown that all types of businesses are targets for hacking. The big ones, because they have money. The small and medium-sized businesses, because they have money, although less of it than big enterprises. Stories of phishing or hacking into computers that host electronic banking activities have popped up in the news frequently.

    Here's a new twist: According to databreaches.net, a CPA firm in California has filed a data breach notice with the authorities, reporting that it was hacked and that fraudulent tax returns were filed for over 40 of its clients. There is some ambiguity surrounding the situation, as it could be read as (a) hackers stealing the CPA's client data and filing tax returns online, using the hackers' own computers or (b) hackers filing the returns using the CPA's own computers, which would be quite novel.

    The latter interpretation is quite far-fetched, I admit, because the prior makes much more sense. Hackers tend to hit fast and exit a breached network even faster. On the other hand, hackers "lounging around" is not unheard of. Small businesses have run into problems because sizable wire transfers were initiated from their own computers (that is, hackers remotely operated these devices); the banks, in turn, accepted these transfers as legal transactions specifically because it came from a trusted computer.

    If I recall correctly, the IRS also accepts certain filings as non-fraudulent over others because they come from a trusted source such as a well-known tax preparation firm, for example. All the more reason for hackers to target such firms, especially small ones that usually don't spend as much on data security, if looking to avoid the IRS's scrutiny. With limited funds, it makes sense for an organization to focus less where the chances of fraud are low.

    The Weakest Link

    This case is a classic illustration of how the weakest chain in the link will be targeted when it comes to security. The IRS has taken quite a bit of flak in recent years because of their seeming inability to stop (or even significantly stem) fraudulent tax returns. Some experts blamed the IRS for not having enough security on their site. Others blamed the IRS's seeming lack of proper security checks in its operations.

    However, even if the IRS were to completely eliminate any security weaknesses, the above case shows that there's still other ways to successfully file fraudulent returns. For example, the hackers had access to the following data:

    [For individuals] this information may have included their name, gender, birth date, telephone number(s), address, social security number, all employment (W-2) information, 1099 information, direct deposit bank account information including account number and routing information (if provided to them), and supporting documentation including brokerage statements and other documents you may have provided to [the CPAs].
    Even if the IRS were to receive perfect marks when it comes to the technical aspects of data security, it would be unable to fight off fraud if criminals have access to detailed information that we normally associate with the true "owners" of said data. How is any organization supposed to tell apart the impostor from the real person if they can both present the same information?

    Small is not Secure

    Practicing data security at all levels is the only way to turn the tide. If you're a small business that deals with extremely sensitive information, it behooves you – by law as well as ethics – to ensure that your security is up to par. Some – nay, many – small businesses think that their relative size is protection, that it's the whales that get harpooned while they go unnoticed.

    Howver, being small fish affords protection only if predators cannot find you; but in the world of business, if people can't find you, that's a death knell for your business. Are you listed anywhere on the internet? Is your business associated with certain keywords that reflect the industry you're in? Do you use any form of electronic communication that's known to be a vector for hacking, like email or using a browser for visiting a website? If the answers to these questions are "yes," then you're "harpoon-able" no matter what your size.

     

    Related Articles and Sites:

    https://www.databreaches.net/california-cpa-firm-hacked-to-file-fraudulent-returns/ https://oag.ca.gov/ecrime/databreach/reports/sb24-63840