888.4.NATNET
Facebook Twitter LinkIn Blog Instagram YouTube Google Plus
09
Sep
2015

Chrysler & The FDA May Be Charting A New Path Toward Secure Data Updates

by Bill

Now that we live in a world where nearly every inanimate object is a computer of some kind and is interconnected with a nearly limitless number of other devices, safety and security is becoming increasingly important with tangible things the way most people think of digital devices. Now IT experts are also becoming increasingly concerned about the way companies fix hacks when they are discovered.

Six weeks ago hackers found vulnerabilities in a 2014 Jeep Cherokee that allowed them to remotely control its transmission and brakes. Chrysler responded by creating a patch to fix the epic exploit.  However, they distributed the patch by sending out more than one million USB thumb drives via the postal mail to drivers.

Aside from the long standing warnings of security professionals to never plug USB sticks sent via the mail into any device (because it’s far too easy for someone to send out malicious software that way as part of a malware campaign); the method also opens up the obvious possibility that someone who moved or is tech-averse will fail to update their car and will end up in potential life-threatening peril as a result or Chrysler’s new DIY approach to recalls.

A major reason for this rollout is that these cars could not be updated wirelessly by any sort of push messaging sent from Chrysler. Cars from Tesla for example routinely get service updates automatically and wirelessly. However that begs for questions about the level of encryption and security sophistication Tesla or others will be using to prevent third parties from tampering with cars. In some cases it may be greed based things like a way to unlock the doors from a mobile app used by thieves, malicious goals like disabling brakes or any other reason a crackpot might come up with the alter the way your car is intended to function.

The key lesson here is that any company creating a product or service for the modern world needs to be thinking ahead to pre-plan a safe, secure and fool-proof method of updating that product if or when it needs to be corrected in some way. The federal FDA recently launched a new set of UDI Compliance regulations that will cost the medical industry millions of dollars, for the sake of better controlling, tracking and monitoring medical devices when recalls or other alternations are needed. Companies like www.UDIcompliancesolutions.com specialize in handling those extensive filing requirements and this sort of misstep by Chrysler may lead to a similar set of mandates from the state operated Department of Motor Vehicles soon.

These days it’s not good enough to make a great product or to fix one that has a security flaw, companies are now expected to fix hacks immediately, securely and seamlessly without opening up any new opportunities for the hackers and griefers that continue to challenge the pace of progress.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
31
Aug
2015

Cyberwars May Soon Lead to Sanction Wars Between The USA and China

by Bill

According to a new report from the Washington Post, the Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals that benefit from ‘cybertheft’ of valuable U.S. trade secrets. Some rumors suggest the new sanctions may even become public sometime in the next couple weeks, just in time for an important visit from President Xi Jinping of China who is scheduled to arrive next month in Washington for the first state visit of his Presidency.

Officials have said that Chinese hackers may have stolen everything from nuclear power plant designs to search engine source code and confidential negotiating positions of energy companies throughout their sustained and effective campaign of cyber-warfare. A set of sanctions would be a significant increase in the intensity of the American administration’s public response to cyber espionage and economic theft that is routinely committed by Chinese hackers that are understood to be performing these tasks with authorization of their government.

If enacted, these new cyber-sanctions would mark the first use of the executive that established the authority to freeze financial and property assets of, and bar commercial transactions with, individuals and entities overseas who engage in destructive attacks or commercial espionage in cyberspaceorder which President Obama signed by President Obama in April of 2015.

A senior administration official told the Washington Post “As the president said when signing the executive order enabling the use of economic sanctions against malicious cyber actors, the administration is pursuing a comprehensive strategy to confront such actors. That strategy includes diplomatic engagement, trade policy tools, law enforcement mechanisms, and imposing sanctions on individuals or entities that engage in certain significant, malicious cyber-enabled activities. The administration has taken and continues to introduce steps to protect our networks and our citizens in cyberspace, and we are assessing all of our options to respond to these threats in a manner and timeframe of our choosing.”

Last month, the FBI said that on a global level, economic espionage cases surged 53% in the past year, and that China accounted for most of that – so the motivation for sanctions is clear, but the reactions possible still make enacting any new sanctions a difficult move at best.

If sanctions are imposed, “I’d say the chances of Chinese retaliation are high,” said Jeffrey A. Bader, Obama’s principal adviser on Asia from 2009 to 2011. But, he also added that “if a Chinese company was a beneficiary of stolen intellectual property from an American company, and the evidence is clear cut, then actions or sanctions against that Chinese company strike me as appropriate.”

With the Chinese economy faltering and so much US Debt in the hands of Chinese investors, the complexity of international relations, timing of these events and massive stakes on the line are creating a political challenge of monumental significance. It is also starting to show that the eventual solution to piracy and cyber security concerns is likely to be as political or legislative as technological.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
21
Aug
2015

Data Security Continues to Emerge As A Leading Consumer Trigger Point

by Bill

As the Internet and cloud computing become nearly ubiquitous, so do recent strains of data security malfeasance and intrusions by unscrupulous hackers. These days, data security is quickly becoming a make or break element of any online sales pitch, recurring revenue stream and more.

In just the last few months alone we have seen widely reported stories of: Lifelock being investigated by the Federal Trade Commission for failing to put proper data security protocols in place, a massive data hack of the Office of Personnel Management that may have included the personal information from as many as 18 million people, and a hack of Ashley Madison (a website advertising itself as a place to find an affair online) that may include as many as 30 Million user profiles.

Given the widespread loss of private data, in conjunction with recent credit card data hacks that have impacted the security of large retailers like Target and HomeDepot along with the government sponsored privacy intrusions made public by Edward Snowden – having any level of data privacy is becoming an increasingly significant concern for many consumers.

A recent Pew Internet report found that: “93% of adults say that being in control of who can get information about them is important; 74% feel this is “very important,” while 19% say it is “somewhat important. 90% say that controlling what information is collected about them is important—65% think it is “very important” and 25% say it is “somewhat important. At the same time, Americans also value having the ability to share confidential matters with another trusted person. Nine-in-ten (93%) adults say this ability is important to them, with 72% saying it is “very important” and 21% saying it is “somewhat important.”

In the face of so much proof that data is currently hackable, even when backed by government agencies, huge corporations, million dollar guarantees or mega-corporation IT departments – it becomes increasingly clear that consumer experience will either need to change the expectations of the marketplace, or will have a negative impact on the bottom line of many companies both online and offline as well.

Some have argued for harsher penalties against hackers, others dream of instituting new protocols that are harder to hack, and some seem resigned to the notion that the public should simple accept the fact that modern world conveniences come with an inherent loss of data security. The most likely outcome will be some combination of all three premises, with a long period of transition along the way toward any meaningful resolution.

In the meantime, companies are already taking smart steps to market their brands by adding trust seals from companies like WebsiteSecure.org, TrustE and Verisign. While adding highly visible support with live chat windows, toll free call centers and more. Now more than ever, showing your customers that their security matters to you and that you are doing all you can, even though it is confined within the limits of what is possible, is an essential part of maximizing your revenue and their satisfaction.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
13
Aug
2015

Attackers Hijacking Critical Cisco Network Gear?

by Bill

Cisco Systems is now officially warning customers about attacks that have hijacked critical networking gear by swapping out the valid ROMMON firmware image with a maliciously altered version using valid administrator credentials. The fact that the attackers use valid administrator credentials indicates that the attacks are being done by insiders or hackers who have obtained the necessary passwords required to update or change Cisco hardware.

ROMMON is the ROM Monitor, used for booting Cisco’s operating system, and it is frequently used by SysAdmins to configure tasks, recover lost passwords, download software, and alter the router settings and more.

The CISCO advisory states: “In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.”

So, while the IT industry is buzzing over this news, in reality no product vulnerability is being used because an attacker requires valid admin credentials or physical access to the system. That essentially means that the attacker could just as easily bring these systems to their knees by pouring hot pots of coffee over the active servers or deleting all files on them because they are doing these things after gaining access via stolen passwords or physical intrusions.

For that reason, we view this news as a useful reminder of the importance of maintaining password security and properly securing all sensitive IT gear from intrusion. National Net continues to utilize state of the art password encryption methods and security best practices to limit access to all servers under our supervision to only those people who should have access, and to limit the access of each person with access to include only the functionality their tasks require. At the end of the day, server security is as much about not spilling coffee on your hardware or handing out your passwords as it is about updating firmware and heeding Cisco warnings.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
10
Aug
2015

Security Tips All 67 Million Windows 10 Users Should Know

by Bill

Windows 10Windows 10 is quickly becoming one of the most ubiquitous operating systems in computing history with 67 Million users and counting already. The OS has some privacy and user tracking functions that some security experts are concerned about and Wired Magazine recently did a feature article on the important settings changes all Windows 10 users ought to consider making immediately.

Hit Start, find Settings and then click Privacy. From the Privacy menu you can control the way your computer uses information from your location, microphone, camera, etc. You can also choose to set the Feedback & Diagnostics system to “never” and the Diagnostic and Usage Data to “basic.” Doing this will helps prevent Microsoft from gathering some information about you, though it is not yet entirely clear exactly which information is saved or discarded.

The Edge web browser included in Windows 10 sends your entire Internet browsing history to Microsoft. This is done to “help Cortana personalize your experience” according to Microsoft. To disable this feature: click on the ellipsis button in the top right corner of Edge, then go to Settings > Advanced Settings > View Advanced Settings, and in the Privacy and Services section turn off Have Cortana Assist Me in Microsoft Edge.

Another potential privacy trap is that Windows 10 prompts you by default to create a Microsoft Account. By opting not to create an account you can keep your activity and information local on your computer. Having an account creates a constant link for Microsoft to use while piecing your metadata together as it gathers it all back to assemble an image of your digital identity.

As operating systems and other software become increasingly complex and intrusive, many users are willing to give up a great deal of privacy for the many conveniences that these new services enable. Whether you choose to be open or closed to those services is all up to you, but Microsoft and others should definitely do a much better job of ensuring that the choices you make are fully informed decisions rather than breeze-through accidental or unknowing checkbox clicks that many consumers hardly notice along the way during installations or upgrades.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
30
Jul
2015

Hubris Doesn’t Make You Immune From Being Hacked

by Bill

National Net works diligently day and night to provide our collocation and dedicated server clients with the highest level of data security possible. We upgrade hardware, update software, follow industry best practices and uses more than a decade of experience to build what we believe is the most secure environment our clients can get anywhere online. However, it is vitally important to avoid resting on your laurels or allowing hubris to creep in, because doing so is often the precursor to being hacked.

Some mistakenly believe that a system can be built in a completely hack-proof way. Time and again, even the largest and most significant data stores have proven to be hackable by third-party programmers wearing either white or black hats. Recently the federal government suffered one of the most severe data losses in history, which may have included information about active US spies and covert resources. The result was that OPM Director Katherine Archuleta resigned since it happened on her watch, but that won’t make their system any more impervious to cyber-assault.

Home Depot, Target, Banks and too many other brands to mention have had credit card data stolen or other information illegally accessed by external hackers at some point in their history. Most recently, LifeLock (a company whose entire brand is built on the notion that they can secure personal information from theft) has become the target of a 2nd set of FTC allegations after paying millions of dollars in a settlement from their first go-round with Federal Trade Commission overseers.

The lesson to take from this is simple. Your data is only safe until it is not safe any longer. As a top tier hosting company we take thousands of steps each day to secure data to the limit of human and machine capability. Smart site owners also maintain backups, monitor their digital properties daily and take additional precautions when possible to keep their data safe.  There is always more to do, and always more than can be done. However, if you ever here an IT guy tell you that he can keep your 100% safe absolutely guaranteed, it’s important to remember he is either speaking from a prideful point of view or an inexperienced one.

Sensitive data should only be stored online in the most minimal way possible. Software patches and security updates should be carried out immediately. While it may feel good to sit back, relax and pretend you areunhackable, it feels even better to remain vigilant and actually not be hacked.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
21
Jul
2015

Keybase May Offer Real Cloud File Encryption With Casual User Simplicity

by Bill

Among the vast majority of Internet users, the most common way to distribute files is via email attachments. A method that is well-known for being among the simplest for nefarious third parties to hack, or for government agencies to sniff. A growing segment of the population has started using file dump services like Dropbox to handle larger files, due to their simplicity and ease of use. Now, Keybase, a company created by OK Cupid founders Chris Coyne and Max Krohn is making a serious attempt to offer a Dropbox alternative that includes built-in file encryption for every file and user the system handles.

Backed by $10.8 million in VC funding that was led by esteemed tech financiers Andreessen Horowitz, Keybase focuses on public-key encryption and seeks to solve the problem of finding the public key for someone you want to send a message to by utilizing social media and other external authentication methods including a central repository of public keys.

“[Encryption] shouldn’t be something only a hacker can do,” said Krohn in a recent interview. “It should be something that anyone using a workstation in their daily lives should be able to use effectively. You shouldn’t have to understand crypto in order to use these products.”

The Keybase plan provides end to end encryption, meaning that there would not be an entry point for sniffers or hackers, and the company’s software will invisibly encrypt all the data you store in it so even Keybase won’t be able to read it. That is a crucial part of any encryption method in a post Patriot Act world, because any company that can access your data can also be compelled to provide access to that data for any number of government snoops as well.

Keybase intends to use the well-respected open source encryption system NaCl and welcomes audits by software security firms that intend to find and notify the public of any potential risks or backdoors, and Keybase is not alone in this endeavor. Others including Boxcryptor and SpiderOak aim to offer their own versions of cloud-encrypted file sharing services for the ordinary consumer.

The one remaining question is whether or not Keybase can simplify the process down to a level comparable to attaching a file to an email. Consumers have already shown time and again that they value their convenience more than their security, often even when confronted with the dangers of doing things the ‘easy’ way – now it falls on the shoulders of tech startups to make being secure just as convenient as the outdated methods of data transfer billions of people have already become accustomed to using.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
15
Jul
2015

Real Cyber-Security Requires A Calm Properly Measured Approach

by Bill


Today there distinct failures of major computer systems set off an unduly large number of alarm bells because of opportunists and conspiracy theorists who tried to use the glitches as a rallying cry for unrelated causes.

For many outside the IT world it may have gone somewhat unnoticed that three major system failures happened today within the span of a few hours. The entire United Airlines flight schedule was grounded, the New York Stock Exchange temporarily halted all trading, and the Wall Street Journal website was down for a significant part of the day.

While these outages are undoubtedly a source of considerable inconvenience, and may even result in significant monetary losses by entities involved in each – there was no evidence, and continues to be no evidence, that they were interrelated or caused by cyberattacks of any kind.

Still, Senator Bill Nelson [D-FL] took to his Twitter account to suggest prematurely that the incidents might be some kind of ‘attack’ and used that self-initiated viewpoint as grounds to promote a Cyber-security bill that many have IT experts agree remains seriously flawed.

In fact, United Airlines has said the problem was “an automation issue”,  The New York Stock Exchange tweeted that it halted trading due to an internal technical issue that “is not the result of a cyberattack” and zero evidence has surfaced about any possible coordinated cyber-attack or other cause for alarm.

During service interruptions and periods of technological frustration, it is essential to remain calm – to identify real causes of any outage and to find solutions that remedy the matter quickly while also putting safeguards in place to prevent any recurrence of downtime. As a leader in collocation and fully managed hosting services, NationalNet understands and appreciates all the hard work these three IT teams did while restoring service and asks everyone, Senators and citizens alike, to refrain from engaging in hyperbole or conjecture during moments of uncertainty when answers need to be the focus and guesses or accusations should be set aside entirely.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
07
Jul
2015

ProxyHam Uses A Radio Connection To Add A Physical Layer of Obfuscation To IP Addresses

by Bill

The high stakes game of cat and mouse that continues to unfold among snoops and privacy conscious communities just became even more interesting with the upcoming release of ProxyHam.  At the August DefCon hacker conference in Las Vegas, a developer is scheduled to debut a device that includes a “hardware proxy” using a radio connection to create a physical layer of obfuscation that makes it all but impossible to determine a user’s actual location.

ProxyHam is an open-source device, that the developer, Ben Caudill

Reportedly built for less than $200.00. The box connects to any nearby Wi-Fi and relays the Internet connection of a user over a 900 Megaherz radio connection to a computer (with an intended range of 2.5 miles). If the device works as advertised, it would create a scenario where even after investigators have fully traced the internet connection of a target, they would find only the ProxyHam box and not the location of the intended target.

Caudill works as a researcher for the consultancy group Rhino Security Labs, told Wired magazine that “the problem with Wi-Fi as a protocol is that you can’t get the range you need. If the FBI kicks down the door, it may not be my door, but it’ll be so close they can hear me breathe. [ProxyHam] gives you all the benefits of being able to be at a Starbucks or some other remote location, but without physically being there.”

The beta of ProxyHam that will be sold at DefCon will be very basic, but future models already in development will also include accelerometers designed to warn its owner if the device is moved from its hiding place, or may even include a microphone and other detection hardware according to Caudill.

Why would the creation of this kind of device be good thing? Caudill intends ProxyHam to protect the most sensitive targets on the Internet. “Journalists and dissidents in Arab Spring countries, for instance…these people have very high security requirements,” Caudill says. “This is that last-ditch effort to remain anonymous and keep yourself safe.” However, opponents are already pointing out the kind of catastrophes that a working ProxyHam might cause as unintended consequences when used by people with less noble goals.

As with any technological advancement, the good and bad are determined by the intent of the user – but as we are seeing with the contemplation of devices like this one, the battle over Privacy may accelerate the intensity of good and bad outcomes alike.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
29
Jun
2015

Google Plans To Turn Payphones Into Wi-Fi Hotspots Globally With Intersection

by Bill

Google Co-Founder Larry Page announced that Google is launching a new startup named Sidewalk Labs by acquiring two companies behind the recent New York City LinkNYC initiative. The initiative is designed to convert old pay phones into free public Wi-Fi hubs. Immediately after acquiring both companies, Google merged them into one entity with a singular purpose. To bring Wi-Fi to everyone, everywhere, for free, by utilizing existing infrastructure points in cities, nationally and eventually globally.

Control Group was providing the interface of the new hubs, while Titan was overseeing the advertising and marketing that pay for the project. Now under the same Google flag, the new venture is named Intersection and will begin to utilize everything from pay phones to bus stops as it’s underlying technology base.

“The vision really is to make cities connected places where you can walk down any street and have access to free ultra high speed Wi-Fi,” said Dan Doctoroff, the former CEO of Bloomberg and former deputy mayor of New York City, who now heads up Sidewalk Labs. “The possibilities from there are just endless.”

Right now in the United States roughly 55 million people don’t have access to high-speed broadband according to FCC reports. Many are in rural areas not yet targeted by Intersection, but once the main population hubs and major cities are sorted out it would be a logical next phase to work outward toward more rural areas as well.

“We think a lot about equity, and here we have a project that’s going to bring connectivity to people for free and fulfill the needs of government to generate revenues,” Doctoroff said. “That’s one of the beauties of doing something in New York first,” he says. “What happens here is seen everywhere.”

As mobile device proliferation and market penetration continues to expand each year, the necessary connectivity has lagged behind in many places as for-profit entities continue to find ways to block municipal Wi-Fi efforts and other attempts to make the world an ‘always on’ environment. Google has a lot to gain by having everyone connected all the time, and Intersection is another step toward that goal.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
NationalNet, Inc., Internet - Web Hosting, Marietta, GA
Apache Linux MySQL Cisco CPanel Intel Wowza