Month: June 2017
By: Brian Barrett for Wired Security
April 24, 2017
The pitch has plenty of appeal: Sign up for our service, and we’ll automatically unsubscribe you from all those pesky email lists. For free! Except, not quite; as it turns out, you end up paying in privacy.
That’s just one revelation from a bombshell New York Times look at Uber, which showed how Unroll.me, the service described above, scans the email accounts of its users for information as granular as Lyft receipts to anonymize, package, and sell on the lucrative data market. Unroll.me CEO Jojo Hedaya issued something like an apology, though he mostly seemed sorry that no one bothered to read the terms of service closely enough.
But while Unroll.me has taken plenty of well-deserved flack for the unexpected disclosure, it’s hardly the only service that taps into your Gmail, or your other Google services, or for that matter your Facebook account. You’re probably given that access away freely, without even realizing it—or the full scope of its implications—in exchange for a little added convenience, whether that’s getting Bed Bath & Beyond’s digital marketers off your back, or simply using your Google account to sign in to a range of apps and sites across the internet.
Not all of these interactions and permissions are grody, or even all that objectionable. Your Withings App wants to tap into Google Fit? Sure, makes sense. Your email client needs Gmail access? Of course! Otherwise it would be a nothing client.
Often, though the adage holds true: If it’s free, you’re the product. Or more specifically, your browsing habits and social graph are, both of which advertisers crave.
That makes now as good a time as any to audit who’s tapping into your Google and Facebook services, and for what reason. You may have other go-to services you want to check as well, but these two are both the biggest, and the most commonly used for OAuth, an open standard that lets you use those accounts as your sign-in across the web.
Fortunately, taking stock takes no time at all. Neither does clearing out unwelcome interactions. Here’s how.
To see what apps and services you’ve given Google permissions to, just head here. That’s where you’ll find Unroll.me, for instance, along with anywhere else that has asked for your info. You might be surprised by what you find! (A personal example: At some point, I apparently agreed to let Target know my email address, approximate age, prefered language, and basic account details. Whoops?)
Not every connected entity has the same level of privileges. To see what they can tap into, just click, and the view will expand for a helpfully detailed rundown.
You can’t adjust the level of access from here, but if you want to cut something out of your Google goodies altogether, just click Remove, and then OK when a pop-up asks you if you’re absolutely sure.
Confusingly, Google also lets you parse your Connected Accounts here. These are accounts you voluntarily linked to your Google account, like say if in a fit of optimism you linked your Google Plus and your Twitter so that all your Google Plus friends could read your tweets. There’s not likely to be much in there, but check it just in case.
The Facebook case isn’t quite the same as Google. But Facebook also integrates with all kinds of third-parties, and if you’re auditing one you might as well take a look at the other. Especially given that, if anything, it’s even easier to purge. If you want to nuke any app, website, or plugin interactions with Facebook, just go to Settings, click Apps, then hit Edit under Apps, Websites and Plugins, and click Disable Platform.
For a more targeted strike, look at the top of that same Settings page and see what you’ve linked up with. Go ahead and ditch any you don’t use anymore, or don’t need Facebook to tap into. Also to be clear,
And while you’re at it, go to Apps Others Use, and click Edit, and clear out all of those categories, so that your info doesn’t get spread around just because your friends are still playing FarmVille for some reason.
There’s a whole other world of Facebook privacy settings to explore, but in terms integrating your account with other services, this should about cover you.
Again, not all use cases are bad! It makes sense for your Fitbit to tap into your health data. And OAuth can be a genuine convenience that doesn’t necessarily mean that those companies use your data inappropriately. (WIRED, for instance, lets you log in with your Facebook account.) There are plenty of permissions you’ll want to keep in place.
Besides which, none of this stops Google and Facebook from using your info for highly targeted ads. But at least this way you’ll know who’s got their hooks into your accounts, and why. And, more importantly, you can kick them out.
Moving to Office 365 isn’t just a question of hardware and licensing costs. Experts say you should consider productivity and the costs of infrastructure support, as well.
by Ericka Chickowski
As Microsoft marches on with its cloud-first strategies, the momentum for Office 365 continues to pick up steam. According to estimates from cloud access security broker Skyhigh Networks Inc., the ratio of enterprise users active on Office 365 jumped from less than 7% to more than 22% between 2015 and 2016.
This remarkable growth is expected to continue on an upward trajectory — but, on the flip side, it’s still important to note that the majority of users remain on-premises with their productivity apps. The goal for Microsoft may be to move past that tipping point, where the majority of its users are on subscription licensing, but there’s a long way to go on the migration front for most organizations.
As Microsoft shops contemplate a migration to Office 365, they need to keep in mind that the total cost of ownership (TCO) of their productivity software is not just a function of hardware and software licensing. There are a number of cost considerations they should keep in mind to maximize savings and minimize pain.
In a recent blog entry, Michelle Ramirez, product marketing manager for the email and apps portfolio at Rackspace, explained that, “All too often, organizations view TCO through the narrow lens of hardware and software licensing costs. The common calculus usually includes a basic look at the cost of hardware and on-premises licenses, versus the predictable monthly costs of SaaS [software-as-a-service] offerings.”
Migration-related productivity disruptions
One of the big impediments to large-scale Office 365 migrations is the perceived difficulty with the process. It’s no wonder, considering that 44% of IT professionals experience the difficulty of a failed migration each year, and 43% have experienced some system downtime as a result, according to a survey by Vision Solutions. If organizations don’t plan their migrations well, this pain can translate into some very real — but often hidden — costs.
“While migrating data is easy, it typically surprises enterprise organizations that migrating people is difficult,” said AmyKelly Petruzzella, global marketing director at Binary Tree Inc. “There is a huge amount of manual effort to perform a migration to Office 365. Many of these projects have delays, downtime, and overrun their schedule and budget.”
Petruzzella warns that the financial impacts of migration problems for a 5,000-user migration can stack up quickly. Binary Tree estimates that just an hour of downtime in this scenario can average to more than $116,000 in loses. A single week delay due to unexpected problems could equal anywhere between $20,000 to $40,000 in remediation cost overruns.
Cost of supporting infrastructure improvements
It is important to remember that users have a level of performance expectation based on software served up locally from on-premises systems. If organizations want to avoid costly productivity problems during and after an Office 365 migration, they’ll need to plan accordingly, with appropriate infrastructure upgrades to support a high-performing cloud-hosted software service. This may require infrastructure and internet service provider investments that will affect a migration’s TCO.
One big pitfall is going into a migration with insufficient bandwidth, or bandwidth that is metered, said William Warren, owner of Emmanuel Technology Consulting.
“Cloud-connected apps require a high speed [and] generous amounts of bandwidth,” he said. “Also, if you want to go cloud-based, you need more than one stable connection to guard against internet outages.”
According to Skyhigh, more than 90% of enterprise organizations had migrated at least 100 users over to Office 365 by last year. Clearly, most organizations are dipping their toes in the water before moving to any kind of wide-scale adoption. For many, the long-term strategy will be to gradually cut over users to the SaaS model through a staged hybrid approach. But that could add costs to the equation, as well, from both a tech support and licensing perspective.
“Even after you move some systems, you might continue to also rely on a hybrid landscape,” Petruzzella said. “This means that your IT team must be experts in both old and new. Rarely does this level of unique expertise exist in-house.”
As a result, organizations will either need to hire talent to fill in the gaps or bring in a service provider to help them during the long-term transformation.
Meanwhile, there are also considerations on the licensing front. Years ago, Microsoft introduced the Client Access License (CAL) Bridge option to help organizations with enterprise agreements for perpetual licenses gradually transition users to Office 365. CAL Bridge gives them access to perpetual license workloads. Organizations need to keep in mind that, a little over 18 months ago, Microsoft changed the terms of CAL Bridge to a per-user subscription model. Any new growth in users can’t be done through perpetual licensing, but can be through Office 365.
Preparation is your best defense
The experts generally agree that the key to a successful and cost-effective migration to Office 365 is preparation.
“Before any kind of migration, a full hardware, software and workflow assessment must be performed,” Warren said. “Otherwise, you are just winging it, and this leads, invariably, to delays, problems and cost overruns.”
Having the right tools can make all the difference. Office 365 through Integrated Technology Group provides you with cloud-based access to all of your favorite Microsoft Office applications on a pay-as-you-go basis. For a low monthly fee, you can have Office 365 installed on up to five devices per user, giving you the latest versions of popular Microsoft tools like Outlook, Word, PowerPoint, Excel and more.
Work together • Communicate in real time using Skype for Business. Collaborate on documents with SharePoint and use OneDrive for Business to make them available wherever you are. You can also hold face-to-face meetings in HD and from your mobile devices, sharing OneNote documents and attachments with ease.
Work smarter • Manage all of your Office 365 services from a single sign-on console that shows the current health of related services. Add users, manage groups and get maintenance reminders and notices. You can also add security to all mobile devices and protect company data by remotely wiping devices and requiring additional I.D. verification.
Cyber-attacks have been around for as long as there have been networks.
The Internet was developed to provide an alternative should conventional communications networks in the United States come under attack. The first computer worm was released in 1988 and shut down 10 percent of computers connected to the Internet. The earliest attacks went unnoticed because before the mid-‘90s, the Internet was primarily used by academia and connected mainframes. It wasn’t until 1995 that a virus, specifically attacking Microsoft Word documents, was released. And it wasn’t for another seven years that Bill Gates announced he would secure Windows.
Until fairly recently, attacks were perpetrated by loosely organized hackers and consisted of worms, viruses, and spy/malware. Many of the attacks were exercises in system access, data destruction, altering email systems, or installing relatively harmless spyware programs. Today, cyber criminals have become more organized and more sophisticated, utilizing advanced network threats such as ransomware and custom malware, making defending your sensitive data a daunting task.
Additionally, if your business accepts, stores or transmits payment card data, Payment Card Industry Data Security Standard (PCI DSS) compliance validation is required by card brands such as Visa, MasterCard and Discover, making the defense of your data even more daunting. PCI DSS compliance is designed to protect businesses and their customers against payment card theft and fraud.
On May 12, WannaCrypt, also known as WannaCry, was used in a very large cyber-attack that affected over 150 countries. Victims were told they could free their machines by paying the equivalent of US $300 in Bitcoin. The ransomware threatened to delete the infected files within seven days if no payment was made. Since then, the situation has been stabilized and the feared second wave of attacks has failed to happen.
The attack was contained by Marcus Hutchins, also known as Malware Tech, who registered a domain name to track the virus, which then stopped it from spreading. Since the malware relied on making requests to domains and ransoming the system when the connection wasn’t made, registering the domain essentially stopped the ransomware from spreading further.
This sinkholing of the malware has stopped the rate of infection, though Hutchins warns that it may be only a temporary fix.
How does WannaCrypt spread?
The ransomware spreads through a vulnerability in the Server Message Block in Windows systems. The creators of WannaCrypt used the EternalBlue exploit and the DoublePulsar backdoor to create an entry in Windows systems.
Additionally, the malware was also spread through social engineering emails that tricked users to run the malware and activate the worm-spreading functionality with the SMB exploit. The malware itself was delivered in an infected Microsoft Word file that was sent in the email.
Who is affected?
Organizations that use Windows systems and have not yet patched the vulnerability are vulnerable to this attack.
Over 230,000 computers in 150 countries were crippled worldwide. Healthcare organizations in particular were affected by this ransomware, including many National Health Services hospitals in England.
What should your company do to protect your network from these security threats and maintain compliance?
- Remember that as soon as the better mousetrap is built, the mouse will find other ways to get your cheese so it’s imperative to partner with a network security company, like Integrated Technology Group (ITG), that will continuously scan your networks to check for vulnerabilities.
- Always keep in mind that as long as there is data, there will be people trying to steal it, so if you have a Windows system, update it as soon as possible and stop using older versions of Windows right away!
- If you have been attacked, experts advise that you don’t pay the ransom, since there is no guarantee that the hackers can even decrypt the encoded files after receiving the ransom payment. It’s important to know that this attack likely won’t be the last one of its kind because this strand of ransomware attacks, released last month, is expected to increase through copycats.
Integrated Technology Group offers affordable Corporate Network Security scans that will identify an organization’s infrastructure vulnerabilities, which may lead to a ransomware attack like WannaCrypt. If you would like to learn more about the several preventative security services ITG has to offer please contact a representative at firstname.lastname@example.org.
Steve Snelgrove (CISSP), Security Analyst at SecurityMetrics; Rich Hummel, CCNA, CCNAW, CCSI; and SonicWall, Inc.