That cloud may be darker than you expect.

With “cloud computing” the hot word in today’s tech circles it pays to look at what others have encountered and the end results after the coolness factor has worn off.

In all but the smallest of IT departments, moving to the cloud for real world workloads simply costs more than purchasing the hardware in-house and allowing it to depreciate over time. While the upfront costs may be lower the total ownership costs over time may be many times the what it could have been.

Please contact us before you take that dive!

Read the story below for more insight.

Why Some Startups Say the Cloud Is a Waste of Money

 

Big-name sites hit by rash of malicious ads spreading crypto ransomware

teslacrypt

Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.

The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when “Angler,” a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave’s SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

“If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,” SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. “Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble.”

Update: According to a just-published post from Malwarebytes, a flurry of malvertising appeared over the weekend, almost out of the blue. It hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon. The attacks are flowing from two suspicious domains, including trackmytraffic[c],biz and talk915[.]pw.

The ads are also spreading on sites including answers.com, zerohedge.com, and infolinks.com, according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia[.]com. Whois records show it was owned by an online marketer until January 1, when the address expired. It was snapped up by its current owner on March 6, a day before the malicious ad onslaught started.
Other domain names being used in the current campaign include evangmedia[.]com and shangjiamedia[.]com. The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word “media” to capitalize on the reputation they may enjoy as a legitimate address.

The campaign underscores the vital role that smart browsing plays in staying secure online. One of the most important things users can do is to decrease what researchers refer to as their “attack surface.” That means uninstalling things like Adobe Flash, Oracle Java, Microsoft Silverlight, and other third-party browser extensions unless absolutely required. The other crucial ingredient in safe browsing is installing updates as soon as they become available and using the 64-bit version of Chrome for browsing when possible. Windows users would also do well to install Windows 10 and use Microsoft’s Enhanced Mitigation Experience Toolkit.

The posts didn’t elaborate on the crypto ransomware being spread in the campaigns, except for the mention by SpiderLabs that it included TeslaCrypt, which so far is known to infect only Windows computers. With last week’s discovery of Mac-based ransomware, users of all computing platforms should take the threat seriously.

Why Nobody Should Ever Search The Ashley Madison Data

ashley_madison

1. Your Computer Will Almost Certainly Get Infected With A Virus If You Do

This is an unfortunate, but true, fact. Most websites purporting to have the Ashley Madison data available for download or search are in fact fakes set up by cyber criminals. Even clicking through to such a site from a Google search is nearly certain to infect your computer with serious malware that could harvest your bank account codes, credit card details and all your personal data, download masses of offensive pornography onto your machine without your knowledge, use it for illegal peer-to-peer sharing of pirated files and plunge you into a lifelong identity-theft nightmare. For this reason alone it is extremely unwise even to go looking for the Ashley Madison data.

2. Just Searching The Data Could Add Your Name To An Online List Of Likely Ashley Madison Users

It sounds crazy, but it’s true. Large numbers of unscrupulous companies are offering webpages or sites which purportedly allow you to search through what they say is the leaked Ashley Madison data. But they themselves will log your details as you use their service, and put these details on a list, which of course can then in turn appear on the internet.

This would then inevitably lead people seeing you on that list to assume you were checking whether your details were on Ashley Madison, and to assume you have a guilty conscience. Even if a search service appears to take no personal details from you, it will almost certainly be logging your “IP address” and placing “cookies” on your computer. This will inevitably reveal you to the world as a guilty Ashley Madison user even if you had never even heard of the website before the recent media firestorm.

Be safe – be sure – simply don’t even click on any site or service that claims to allow access to the Ashley Madison data.

3. The Mere Fact That Someone’s Details Are In The Ashley Madison Data Means Absolutely Nothing At All

The fact of the matter is that the vast majority of people whose details were held by Ashley Madison had absolutely no intention whatever of having any sort of illicit affair. Many profiles were created using people’s details – for instance their names, photographs nude and/or dressed, email addresses etc – without their knowledge by other persons for a huge variety of reasons.

These things are easily harvested from the internet. Even where someone’s credit card details are found in the Ashley Madison data, in almost all cases those card numbers will have been stolen by criminals – perhaps by hacking a completely legitimate online store or other website – and used fraudulently without the owner’s knowledge.

Even where this has not occurred and someone appears to have really registered with the site of their own volition, again this means nothing. Most Ashley Madison users were motivated by innocent curiosity: and in many cases they may have had no interest in having an affair but instead bona-fide work reasons to be registered with the site.

This is especially true of professional journalists, the great majority of whom were registered with the site in order to do essential research into prospective articles on web security, lifestyle features or literally dozens of other valid journalism areas.

It’s important to be aware that such articles often take a long time to prepare, or may be rejected by editors, or for many other journalism reasons will probably not have actually been published prior to the Ashley Madison hack – but nonetheless a good deal of valid work-related research will normally have been carried out on the site.

4. It Is Morally Wrong To Even Look At The Ashley Madison Data. If You Have Looked At It You Are The Truly Evil One – Far Worse Than An Adulterer – And Nobody Should Or Will Care What You Say Or Think

Here’s another hard, cold fact for all the judgemental Victorian moralistic prudes out there. Yes, a minority of Ashley Madison users do appear to have made use of the site to have sex outside their marriages or life partnerships. But the vast majority of this small minority were in fact totally justified in doing that.

Online comments all over the internet from such people prove conclusively that almost every single one of them was with a partner who was totally unwilling or unable to have any sex with them ever, despite every possible exertion by the AM user. Very often this was because of a serious and unforeseen medical condition (such as pregnancy or frigidity, for instance).

The huge majority of such AM users had been clearly and explicitly offered free permission by their spouses or partners to have sex outside the relationship. Almost without exception their testimony reveals that they have selflessly gone to great lengths to make sure that they did not contract a venereal disease from other AM users, even though they were not getting any sex whatsoever from their partners and therefore could not infect them, and nobody involved ever had more than one or two sexual partners who were for their part also in loving but open relationships.

Perhaps in a few cases some AM users may not have had permission from their spouses to play away, or their spouses may not have fully realised that they had implicitly, but nonetheless quite clearly, granted such permission.

But is it fair to selfishly deny a person sex? No. It is not, people have a right to have sex and if their spouses totally or somewhat-totally deny them that, they have every right to sleep with other people. Moralistic judgemental prudes may say that they should let their partner know clearly and unambiguously that they are doing so, but that is obvious bunk.

Many people are economically trapped in their loveless marriages, for instance, and won’t someone, for goodness’ sake, think of the children? Should a couple’s children be forced to suffer through the hell of divorce just because one of their parents has decided for whatever reason to more or less give up on sex? Obviously not. In such cases the right and moral thing to do is have an affair, and avoid hurting your family by telling them things they don’t want to know. After all, it’s well known that the less painful, easier path is generally the more righteous one.

So even the tiny minority of AM users who actually have had affairs behind their partners’ backs are GOOD people who have done NOTHING wrong. And yet their lives will be DESTROYED by people looking at the Ashley Madison data. They will lose their jobs – that’s a well established fact, moralising judgemental bosses will sack employees for being AM users unless they are stopped by law. The US military, for instance – which attaches ludicrous and outdated importance to its members’ abiding by their publicly sworn oaths – is conducting a vicious moralistic purge already.

So the truth is that looking at the Ashley Madison data is a far worse act than having an affair. What we actually need is a climate of moral outrage against the sort of judgemental Victorian prudes who would even look at it, not at the brave, righteous – and in many cases only tangentially or professionally involved – people identifiable in the AM data.

It’s Windows 10 day

It’s Windows 10 day. That means it’s time for a completely biased and in-no-way-even-remotely-objective assessment of Windows 10.

The internet is filled with people trying to act all objective about Microsoft and Windows 10, and explain what it all “means.” I’m forgoing all of that this round. This review is not from the standpoint of an administrator, or even much of a nerd.

This is the review of one Windows 10 user, evaluating it as the primary work operating system. It is the OS I have used for months, but is it the OS that I will trust my business to, or even want to use in my off hours? Get out the party hats and popcorn and let’s find out!
Okay, so Windows 10 isn’t exciting. In fact, it’s downright boring. The fanfare is strained and the changes are minor. Windows 10 is an evolution of its predecessor, and that’s absolutely fantastic.

For reasons Microsoft could never understand – but which I have tried to explain to them repeatedly – Windows Server 2012 and 2012 R2 have been greeted enthusiastically. Though they are essentially the same operating system, Windows 8 and Server 2012 were targeted at entirely different audiences that valued entirely different things.

Microsoft didn’t – and still doesn’t – understand what it is either group places value on. That’s okay, Microsoft has deep pockets and it can keep throwing things at the wall to see what sticks. History tells us Microsoft has a one in three chance of getting any given release right, and that’s more than enough to keep its coffers full.

So what’s up with Windows 10? Feedback from the nerdosphere has been all over the map. Many of the usual suspects are saying unusual things. Pro-Microsoft people are panning it. Anti-Microsoft people are praising it. What’s really going on is a bit more complicated.

Windows 10 is a bit crap, but only a bit. Truth be told, it’s actually quite a good operating system. I’ve been running it from the beginning of the open beta and it’s taken everything I can throw at it.

To be perfectly clear: I’m not kind to operating systems. I hibernate my PCs. I fill the RAM up. I hibernate my PCs with the RAM full. I play games the hardware doesn’t really like. I currently have more than 4,000 browser tabs open. Things like that.

Windows 10 takes everything and asks for more.

Windows 10 is faster on the same hardware than Windows 7. Noticeably so, especially if that hardware has an SSD. It’s less frustrating than Windows 8 – well, mostly – and almost as usable as Windows 7.

Thanks to Windows 8 Classic Shell has evolved rapidly over the years. Today, it solves almost all of my UI issues with Windows 10 and even manages to detect when Microsoft has reset things and sets about reinstalling itself and reapplying the settings in order to compensate. Bloody brilliant.

Best of all, Classic Shell is available as part of Ninite, so it just gets installed along with all the other default required third-party software whenever I build a system. Ninite Pro is a reasonably priced and fantastic way to keep all that third party software up to date.

Classic Shell gets rid of (most) of the stupidity Microsoft inflicted with Ribbon Bars in various bits of the UI and it replaces the completely broken, utterly useless and ridiculously poorly designed (probably by committee) abomination that is Windows 10’s Start Horror. Push button, receive mindspiders; this, at least, is solvable.

The Start Screen of Windows 8 is properly banished. The new notifications tray/basic settings widget thing is actually quite nice. Overall, most of the UI dings have been hammered out.

So the first crap part of Windows 10 is the above-mentioned Start Horror thing. It shouldn’t be. I cannot say enough mean things using enough colourful invectives. It’s awful. But, as mentioned above, it’s fixable.

Microsoft has mutated Windows Explorer into a Ribbonesque horror of additional awfulness. This is only partly fixable. It’s the worst bit and probably the thing that will drive most power users away, if anything ends up driving them away.

Settings in Windows are inconsistent. Some are in the “Settings” Metro app and some are in the Control Panel. It takes a few hours to sort out what’s where, but since there’s really only two places to look it’s honestly not that big of a deal.

The colour palette options are pretty broken. People who prefer “dark themes” are probably going to have trouble using Windows 10. If this is actually fixable, I haven’t figured out how yet. Windows 10’s customization capabilities seem strictly limited compared to previous versions of Windows.

There are some more specific issues that have irritated individual bloggers and tech journalists, but the above is the stuff I think the “average” user will notice and care about.

There are some potential deal breakers with Windows 10. To start off with, the VPN client is crap. It really does not like connecting to older VPN servers and its behaviour under many circumstances is inconsistent to the point of seeming non-deterministic. I’ve seen problems with it straight through to the release version.

Microsoft’s spying on you is pretty awful. Windows 10 calls home with essentially every last thing you do and search for by default. Finding and disarming all the different ways Microsoft spies on you is difficult at best, and a futile game of whack-a-mole at worst.

It is perhaps not fair to project the experiences of participating in the open beta onto the release version of Windows 10, but I did get pretty sick of having to go in and defang Microsoft’s creepy doll Cortana spymaster every time a major patch came out.

The NSA can go straight to hell, as can any company slurping up my info into data centres where that data can be easily “requisitioned”. I may not be able to keep the NSA out of my data, but I do intend to make the proxy whoresons work for it!

That leads us into the whole “forced patches” thing. I’m not a fan. I understand that some people feel this is the only way to make Aunt Tilly patch. They’re wrong. Aunt Tilly’s computer was shipped to her with Windows Updates enabled by default.

I prefer to not have to fight Microsoft to keep my computer from rebooting and annihilating all my open applications, thanks.

But this is beyond personal preference. Microsoft has completely borked patches so many times during my career that I absolutely refuse to install any Windows patch on any computer I rely on without testing it first. Nope. thanks and bye.

Further adding to my nopeing over forced updates is that I simply do not trust Microsoft, even the littlest bit. Windows 10 is supposed to be on a brand new release lifecycle where major-ish updates will be pushed out with some regularity. I don’t trust Microsoft with this power.

Perhaps more to the point: I don’t trust Microsoft not to push out some horrific UI change or break applications like Classic Shell. Microsoft have broken my trust too many times and done absolutely nothing to earn it back.

Now I realise everything in this “dealbreaker” category won’t matter to everyone. In fact, there is a significant population to whom none of these issues with matter. I said above that this isn’t a particularly objective review of Windows 10. These are simply the issues that tweak my particular constellation of requirements and beliefs and prevent me from deploying it for my use cases.

For all my griping, Windows 10 is kinda not bad. My wife compares it to Canadian politicians. Everyone on offer is at least a little bit crap, but there’s usually one that meets “good enough” standards and probably will do as much good as they do harm. I think it’s an accurate comparison for Windows 10.

Most people don’t want their computers to radically change. They prefer slow, incremental evolution. They like stability. Business especially prefers this. For the most part, that’s Windows 10. It’s really not that much different than its predecessors, and that will make it usable by most.

But usable isn’t enjoyable. When Windows 7 came out there were a few complaints (give me back my up arrow, damn it!) but for the most part there was relief. At long last, here was salvation from Vista and a path forward from XP.

There’s none of that with Windows 10. It’s good enough to use if you have to. It’s definitely a step up from Windows 8. But if you have Windows 7 there’s no sane reason to move to Windows 10 as, ultimately, Windows 7 is still better.

If you don’t use VPNs except to very new servers, you trust Microsoft enough to let them force updates on you, and you’re okay with the digital creepy doll shouting everything you do back to the mothership, then Windows 10 is good enough.

Windows 10: it’s only a little bit crap. And really, that’s better than we could have hoped for.

Do NOT open that text message!

Frankly most people who get malware are asking for trouble. They open a suspicious file from a stranger, go to a skanky website, or download the movie or game that came out yesterday from BitTorrent. Then, there’s Stagefright. With malware based on this security hole all you need to do is to get a text on your unpatched Android device, and, bang, you’re hacked.

Android’s Stagefright security hole is scary, but you can avoid it. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher. In short, of the approximately 1-billion Android gadgets out there, Stagefright could, in theory, hit 95 percent of them.

Can you say bad news? I knew you could.

stagefright

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake, who uncovered Stagefright claims that it’s among the “worst Android vulnerabilities discovered to date.” He’s got a point.

Stagefright holds up your device by being sent to you as a multimedia text message. For example, a short video of kittens playing could be used to put malware on your system.

The really sneaky part is you don’t need to watch the playful cats. If you’re using Google’s Hangouts app, you don’t even need to open your text message app. All the attacker needs to do is send a poisoned package to your phone number. It then opens up your device, and the attack starts. This can happen so fast that by the time your phone alerts you that a message has arrived, you’ve already been hacked. If, on the other hand, you’re using Android’s standard Messenger app you must open the text message — but not necessarily watch the video — to get hacked.

This security hijack works by taking advantage of Android’s built-in Stagefright media library. This media playback engine comes with software-based codecs for several popular media formats and is used for audio and video playback. Its security hole appears to be that to reduce video viewing lag time Stagefright automatically processes the video before you even think about watching it. Drake will reveal the full details of how Stagefright works at Black Hat in early August.

In the meantime, Zimperium informed Google of the problem in April. According to Drakem “Google acted promptly and applied the patches to internal code branches within 48 hours.”

A Google spokesperson added in an e-mail response that, “The security of Android users is extremely important to us, so we’ve already responded quickly to this issue by sending the fix for all Android devices to our partners.”

She added:
•Security is baked into Android: Android applications run in what we call an “Application Sandbox.” Just like the walls of a sandbox keep the sand from getting out, each application is housed within a virtual “sandbox” to keep it from accessing anything outside itself, meaning that even if a user were to accidentally install a piece of malware, it’s forbidden from accessing other parts of the device.
•The open ecosystem improves security and makes Android stronger: Android is open source. This means anyone can review it to understand how it works and to identify potential security risks. Anyone can conduct research and also make contributions to improve Android security.
•Google encourages security research: The Android Security Rewards Program, launched in 2015, and Google Patch Rewards program, launched in 2014, rewards the contributions of security researchers who invest their time and effort in helping make Android more secure.

So, with all this, what’s the fuss about? Yes, it’s really a bad security hole, but the fix is in… isn’t it?

Uh, well about that, you see Android has another bigger security problem. With the exception of the Nexus devices, Google provides the Android source code patches, but it’s up to the smartphone carriers and original equipment manufacturers (OEM)s to send it to users with updated firmware. As of July 27th, none of the major Android OEMs or carriers have announced plans to deliver the patch. With many older devices, patches may never be delivered.

According to Zimperium, SilentCircle’s Blackphone has been protected against this attack since the PrivatOS version 1.1.7. Mozilla’s Firefox has also included a fix for this issue since version 38. And, of course, Zimperium offers its own protection from Stagefright attacks with its mobile threat defense platform, zIPS,

What Zimperium doesn’t mention is that Android already has an excellent way of blocking most Stagefright assaults: Block all text messages from unknown senders.

To do this with Android Kitkat, the most popular Android version, you open the Messenger app and tap on the menu at the top right corner of the screen (the three vertical dots) and then tap on Settings. Once there, select Block Unknown Senders, and you’re done.

On Lollipop, where Hangouts is the default messaging app, there’s no default way to block unknown senders. You can, however, under Settings go to Multimedia messages and turn off Auto Retrieve for multimedia messages.

With Lollipop, and other versions of Android, I recommend turning to third party SMS blocker apps. For Android 2.3 to 4.3, I like Call and SMS Easy Blocker. If you’re using KitKat or above, where only one texting app can be active at a time, I like Postman, aka TEXT BLOCKER. This program works in conjunction with your favorite texting application to block unknown senders.

This isn’t perfect. A friend could always get infected and spread malware, but it’s a good start.

The short-term fix will be when the carriers and OEMs get off their duffs and push the fix to us. Considering their track record, I’m not going to be holding my breath and I am going to be blocking multimedia texts. The long-term solution will be when Android-using companies start working with Google to deliver important security patches as soon as possible all the time.

Cut the Cable!!

Put up an antenna.

tv-antenna

Many people are not aware that in 1996 the FCC had issued a Federal Rule that prevents HOA’s, CCR’s and other private entities from stopping the installation of TV antennas.

In just about any situation, you can put up an outdoor antenna to receive over the air broadcasts, and no rules or regulations can stop you, within reason.

224813_ts

Take the time to read and share the FCC’s Federal Regulations – OTARD – Over The Air Reception Devices.

As directed by Congress in Section 207 of the Telecommunications Act of 1996, the Federal Communications Commission adopted the Over-the-Air Reception Devices (“OTARD”) rule concerning governmental and nongovernmental restrictions on viewers’ ability to receive video programming signals from direct broadcast satellites (“DBS”), broadband radio service providers (formerly multichannel multipoint distribution service or MMDS), and television broadcast stations (“TVBS”).
The rule (47 C.F.R. Section 1.4000) has been in effect since October 1996, and it prohibits restrictions that impair the installation, maintenance or use of antennas used to receive video programming.  The rule applies to video antennas including direct-to-home satellite dishes that are less than one meter (39.37″) in diameter (or of any size in Alaska), TV antennas, and wireless cable antennas.  The rule prohibits most restrictions that: (1) unreasonably delay or prevent installation, maintenance or use; (2) unreasonably increase the cost of installation, maintenance or use; or (3) preclude reception of an acceptable quality signal.

 

LINK https://www.fcc.gov/guides/over-air-reception-devices-rule

The largest-scale attack of its kind on Apple devices

A pernicious piece of Apple focused malware reared its ugly head this week. It may have infected as many as 356,000 users.

The malware first infects Mac OS X machines, from standard desktop Macs to MacBooks, and then infiltrates all other iDevices, from iPhones to iPads, by installing rogue apps on them when they’re connected by USB. And unlike previous strains of iOS malware, it doesn’t need the device to be jailbroken. Palo Alto Networks, the company that has investigated and given a name to WireLurker, calls it a “new breed of threat to all iOS devices”.A developer at Tencent, initially observed WireLurker at the start of June.

It’s little surprise so many downloaded WireLurker, given it was packaged inside seemingly legitimate apps, including some big name games – Sims 3, Pro Evolution Soccer 2014 and Angry Birds to name a few. They were unofficial, pirated versions of the games, however. And those who did get infected, who were only trying to get knock off copies of those titles, likely had various pieces of data stolen from their Apple devices, including the machine’s ID number and Wi-Fi addresses it used.

Herein lies the intriguing element to this nasty piece of kit. The malware seems to be more concerned about identifying the device owners rather than stealing much data. “In other words, WireLurker seems to be targeting the identities of software pirates,” noted Jonathan Zdziarski, an iOS security expert. On jailbroken iPhones, the malware does seek to acquire more information, including SMS messages.

Could WireLurker be a law enforcement tool? If it is, then it’s another sign that the NSA isn’t phased by Apple’s attempts to keep its users secure and private. Just last month, it was accused of trying to intercept iCloud users passwords, which it subsequently denied.

WireLurker was able to get malicious apps onto iOS devices by abusing “enterprise provisioning”. This allows apps not in Apple’s official stores to be downloaded as long as they are signed by an enterprise certificate, which Apple could revoke (though Zdziarski notes additional certificates could be issued and fresh copies of the malware installed). Users should always fear Apple’s requests for confirmation to open a third-party application, unless certain of its authenticity.

Zdziarski thinks that WireLurker looks primitive, yet shows up a major security hole in Apple’s pairing mechanism between its PCs and mobile devices. “The real issue is that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized,” he added. “While WireLurker appears fairly amateur, an NSA or a GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.”