Chinese APT Group Weaponizes COVID-19 Fears

While there are currently upwards of seven cyber threat campaigns centered on SARS-CoV-2 (the virus that causes the illness now known as COVID-19); one stands out from the rest.  According to CheckPoint Research (, this campaign is a continuation of previous attacks by the Vicious Panda APT group, with the latest iteration using the threat of the Coronavirus to entice users into falling for the downloader/stager scheme.


Though not particularly novel or intricate, the somewhat complex stager to downloader to dll methodology does have one thing that sets it apart.  Vicious Panda is the codename of a Chinese APT group – meaning that the country which saw the first devastating wave of COVID-19 patients, and the first loss of life from the disease, is now using it to disrupt data systems in other parts of the world.


The attack itself is straight-forward.  An email hook via a poisoned attachment – in this case a rich text file – is emailed or otherwise delivered to the target. Relying on a known exploit in the Equation Editor component in Windows systems installed with Microsoft Office, the RTF file executes code that performs additional actions on the infected machine.  In the case of this campaign, a series of download files (mostly DLL’s) sets up both a persistence factor so that the attack re-launches itself until removed whenever a Microsoft Office app is run; and a Remote Access Trojan (RAT) to allow the attackers to gather details and data from an infected device.


The RAT is the more problematic of the executable components; as in addition to stealing data and user information through screen shots and process dumps, a RAT can be configured to download and launch additional executable code. While the initial attack is independently dangerous, this ability to persist beyond reboot and to download more attack code at any time makes this significantly more worrisome.


As for mitigation against this threat, while the actual downloaded vector is new, the methods and techniques used to successfully land the attack are not.  Updates and patches exist for Windows to defend against the Equation Editor exploits, which have existed since 2017 but have remained unpatched on many Windows devices.  Patching against CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 will limit the ability of the initial infection vector (the poisoned RTF file) to land, and thereby defend the device itself.  It’s recommended that systems be patched as soon as possible if the fixes for these three CVE’s have not yet been applied.


While the actual attack binaries do appear to be new, they function with the same effect as most RAT’s; so monitoring for unusual activity around screenshots, file manipulation, data exfiltration, and unknown process initiation can identify that a device is infected.  Any device that exhibits these unusual behavior patterns should be temporarily isolated until further investigation can be performed to confirm infection or identification of the reason for the unusual operations.


Leveraging the COVID-19 fears of the world is despicable.  Threat groups have never been known for their reserve or decency, but launching attacks that play off the panic of the world right now is unacceptable beyond belief.  That it is coming from the country that experienced the first outbreak is even more bewildering and disappointing.  I urge all threat groups to not make the situation worse by playing off the fears of an international pandemic crisis.


It’s doubtful that we will see an end to attacks taking advantage of national and international crisis events.  As disheartening as that it, we must face reality and realize that any opportunity can and will be used to spread malware that disrupts and/or destroys businesses.  This example, though, is extraordinarily despicable for two reasons:  First, the disruption of many businesses during this specific crisis can, and will, lead to the loss of lives.  Disruption of a single manufacturer or medical equipment or devices will make the already devastating shortage of masks, sanitizers, ventilators, and other vital healthcare equipment so much worse.  People who might have lived will die, and their blood will be directly on the hands of these threat actors.  Secondly, the apparent origination of this specific threat from an Advanced Persistent Threat group from China – the first and one of the most significantly impacted countries – is simply baffling.  After the loss of life, disruption of business, and overall health impact of this virus; the country that was at the start of the chain of the pandemic should not be weaponizing the fear of that pandemic for furtherance of state-sponsored cyber threat goals.


Remote Working for Newbies

Noun remote work 1350970


When even the Federal Government is sending workers to work from home, there’s a lot folks in municipal and private organizations and companies working from outside their office for the first time. In my career, I have been rather lucky in that I have nearly always worked remotely. Companies I have worked for based in California or Israel often found it more economical to just cover my home Internet expenses than set up a physical office near me and the few other folks who worked in the area.

For those new to remote work, here’s a few tips I’ve had good experiences with over the years:

Set aside space: Even though you’re not in the office, you’re still at work. Claim some space in your home or apartment that will be used as exclusively as possible for work. While most (including me) won’t have the luxury of being able to set up a formal home office, you can designate a part of your living space that you will use when you’re working. The purely mental differentiation can help you focus on work when it’s working hours.

Don’t ignore your family, but know that you are at work: Even though you’re at home, during the workday your time still “belongs” to your employer. In much the same way as you will absolutely deal with emergency family matters when in the office, you should limit family time during working hours to just necessary events. Don’t ignore family members who are at home with you by any means, but do let them know that when you’re working, you’re working. If it can wait for 5pm, it should. If it cannot, you will deal with it immediately just like you would if you were still in the office. This gets significantly harder when you’re physically in the same space with the family members in question, but you must firmly hold the line.

Defend the company (and yourself): If you’ve been issued company equipment to work remotely, use that – and only that – equipment to do work. This will allow you to work on a device that the company IT team is still keeping patched and updated with anti-malware tools. If not, ensure that you keep your own devices updated with patches and fixes (don’t ignore the “you need some updates” messages), and make sure you have at least basic anti-malware/antivirus tools installed and kept up-to-date. If the company supplies a virtual private network (VPN) tool, be sure that you use it any time you have to work on company applications and data. Finally, make sure everyone knows that the company laptop is only to be used by you, and for work. Even if it’s more powerful than your home PC, the kids, your significant other, or anyone else who’s there can’t use it to play games or watch videos.

Digitally separate work and personal life: If you are using your own PC or laptop for remote work, take some steps to keep work data and personal data independent of each other. For example, use one email client for your own email accounts, and Outlook for company accounts (if Outlook is provided for you as part of your company’s email system). Use one browser (like Chrome) for personal use and a different one (like Edge or FireFox) for work use. Alternately, make liberal use of “Private” or “Incognito” modes in a browser when doing work tasks. Create a new folder in your My Documents folder, and keep your work stuff only in that folder. Little things like this – which are both free and easy to do – can help maintain the boundaries between work and home data and applications; avoiding both risks to company data and potentially embarrassing situations if someone sees your bookmarks on a web conference.

Use defensive web conferencing techniques: Speaking of Zoom, Webex, Teams, and other web conferencing tools, there are definitely ways to use them that keep your privacy intact. First, invest in a camera cover. These stickers or sliders cost only a buck or two, and can avoid a lot of embarrassment if the web conferencing software turns your webcam on automatically without warning. Next, never share your entire desktop. Just about every web conferencing system will let you share a specific application or upload a powerpoint or other document. This way, if you get an unexpected private pop-up alert, it isn’t broadcast to everyone watching the conference itself. If possible, buy a low-end gaming headset that works with your laptop/desktop (or a higher-end one, but they can get quite expensive). Gaming headsets have uni-directional microphones; which means they help filter out the background noise of anything going on around you. Using a headset also helps avoid the feedback loops and squelching that using built-in audio systems can cause. Finally, if you feel up to it, you can go into the settings of the web conference tool and turn off video connectivity and set the application itself to not start automatically on a reboot. As a side-note, a shower curtain with a nice pattern or flat color suspended from mug hooks in the ceiling makes a great backdrop if you do wish to use your camera during calls and web conferences.

Leave the house when you can: This one is critical. Remote work can be very isolating, and the tendency to just stay in the house can be overwhelming. Granted, right now we’re all trying to enforce social distancing, but you can still go visit a local business during not-so-busy hours (when less people will be there) or take a brief walk. Calling friends and family can also help keep you connected to the world outside your apartment. Stay safe, but remember that you are not chained to your desk, and can step outside for some air whenever you need to.

Remote work can be an incredibly positive experience. Clearly delineating work from home – digitally, physically, and mentally – can make the process easier to manage and much more rewarding for you. If you find you hate remote work, this crisis will end; hopefully soon. If you find you love it, then proving that you can be just as effective and productive when remote will give you a better chance at making it permanent.

TVTropes had a breach – passwords stolen

Noun shocked 320301

About a month and a half ago, I started receiving “porn extortion” emails with my TVTropes password in them. For those who haven’t gotten on of these yet, consider yourself lucky.

About 4-6 months back millions of people started seeing emails that basically said “We infected your computer with a virus, turned on your webcam and recorded your screen. We saw the adult sites you visited, and what you were doing through your webcam when you were there.” Of course, for a small amount of BitCoin, they can keep that info to themselves.

In case you haven’t guessed, it’s a total scam. I know this because my machine is a Mac, and every single one of these emails I’ve gotten over the months specifically detailed how a WINDOWS machine was infected with their virus.

More recently, these emails started including passwords from websites that I had used in the past. That’s not hard to explain, sites do get hacked and password databases do get stolen. Then the passwords get sold for fractions of a penny each, and anyone – including these scammers – can use them for whatever they want. As nearly all of these passwords are now no longer valid; they’re rarely used for attacking other websites. But using them for this kind of email scam is a great way to recycle no-longer-usable data that’s already out on the web since so many users re-use passwords on so many sites that the likelihood that at least one victim you email still has that password in active use is pretty good indeed.

In this case, for the last month and a half I have been getting these scam emails that specifically mentioned my TVTropes email address and UNIQUE password. Of course I immediately changed my password for that website, and alerted the site administrators through their bug tracking forum. I know it had to have come from that website, because the password has never been used at any other website or for any other login (using a password manager has given me the luxury of having this benefit available to me). It could only have come from that one, specific site.

Over 30 days later, and there has been no response from TVTropes, forcing me to now go public. If you have an account on, you need to immediately change your password on that site, and on any other sites you have re-used that same password.

I’m much more disappointed in TVTropes. While I wouldn’t expect them to have the same level of security as financial or commerce websites, I would expect that when evidence of a breach is found they immediately investigate and force password changes for all users that were subject to having their passwords stolen. This is standard response behavior.

Also, with no response at all from the site in over 30 days of repeated attempts to contact them, I’m horrifically disappointed in the site administrators. Someone is literally telling you, privately and quietly, that your users are at absolute risk; and your response is… nothing?

So, long story short, there is evidence that has been breached and their password database has been stolen and decrypted. Change your password there, and on every other site you use that same password immediately.

Response to was recently purchased by j2 Global and when I heard about this I immediately posted to Twitter that people should be very concerned.

Terry Meyers, General Manager for, kindly reached out to me via email to ask what my concerns were. As I have come to expect from, Terry was courteous and professional, and I’m sure my opinions will be looked at by the team.

Several followers have asked me to go into a bit more detail about my concerns. I’ve therefore decided to post them here so that they can be found easily, as anyone considering using the service may benefit from my opinions. Below is an excerpt from my email to Terry, outlining why I was cancelling my subscription out of concern for both security and privacy.

PLEASE: Note the last paragraph. Neither or j2 Global have ever done anything that appears illegal or purposely harmful, and the company should not – under ANY circumstances – be the subject of harassment or other unwarranted attentions. Speaking your mind about concerns stemming from a product or company is good; harassment is never either good or acceptable behavior.

Excerpt from my email to the Team:
Essentially, I will not trust any form of security or privacy to a company that is known throughout the technology industry as a buyer and seller of user information. To advertisers, to bulk-mail providers, and to who else knows. The advertisers and spammers (and I’m sorry I have to call them that, but they are) are known to be the case since direct portfolio companies of j2 make their money from advertisers – ZDNet – and bulk unsolicited mailers – direct response email houses. EFax is another factor I have to consider, as a large portion of their revenue is derived from a “free-to-use” system, which means j2 makes money by bartering user data since they don’t make money from the users.

I do wish you the best. I hope that j2 isolates and shelters so that none of the incredibly sensitive information that a VPN has access to will ever be misused, but with the track record and history of the parent and portfolio companies I cannot be sure of that.

Please understand, I firmly believe that the portfolio companies absolutely have the right to operate exactly the way they do. They’re not breaking the law in any way, and to the best of my knowledge have never done anything to directly harm consumers. They are, however, not firms that I would be willing to trust VPN traffic to, or that I could in good conscience recommend that anyone else trust VPN traffic to.

Simply Security: Don’t Cut Users Out of the Security Team

Noun group security

Simply Security is a regular column sponsored by SkOUT Secure Intelligence, Find Trouble Before Trouble Finds You

When creating and updating a security policy for your organization/company; it’s important to remember one group of people who absolutely must be part of that plan – your end users. Even the very best of desktop anti-malware, VPN technologies, and email filtering tools will miss some things, and that means the user has to be the one to shield themselves against those sneaky threats.

For many security professionals, the end-user is the one person who they want to be totally excluded from the security protocols and policies of the company, but that means a critical component of your security immune system starts off out of the loop. Excluding users causes confusion when policies are created and changed, as the users may be forced to adapt to new procedures that didn’t take into account how they actually perform their job responsibilities. Documentation may be confusing to end-users, leading to mistakes in using new software and tools; or worse, users actively trying to get around these policies and procedures.

I’ve always been fond of a saying that I can never remember the source of (and if anyone knows, I’d love to give proper attribution): “Users, when faced with inconvenience, become some of the most innovative and ingenious technology experts in order to get around it.” Basically, if the user is not on-board with new security tools; they most definitely will try to find ways around them in order to do what they need to.

Personally, I’ve seen a high-level executive disable a VPN client because he couldn’t reach a website that he needed to use for his work. In other words, the entire security protocol for that laptop was undermined because the security team did not take into account that users might need to visit business-related websites. If the security team had involved end-users, they would have known that sites such as that one were required, and could have made sure the VPN did not prohibit users from visiting them.

Spam and phishing is another area where leaving users out of the equation is a recipe for disaster. No filtering system is 100% effective, and many will mis-categorize emails – both false-positive and false-negative – under a wide variety of circumstances. New threats can be used to create email messages that don’t trigger filtering rules, and crafty phishers can alter their approach to overcome software review. If the users are part of the organization’s immune system, they can become an active part of finding fraudulent and malicious messages before they wreak havoc on the company itself.

As a perfect example, doing something as simple as flagging emails based on if they are internal or external, and if they appear to be malicious in some way even when they’re not positively one way or the other, can allow users to be on their guard. This – combined with basic Security Awareness Training – allows them to look at flagged and external emails with a critical eye to determine if they’re legitimate or not when the filter just cannot be certain. Maybe they will call Accounts Payable when a slightly suspicious wire transfer request is sent to them, instead of just heading to the bank website because the email looked like it came from a legitimate sender.

In the end, exclusion of the actual users of a system from the discussions about the security of that system and involvement in those policies and procedures is asking for a security incident. Users need training, but they can be an impactful and critical part of the companies immune system – protecting the organization from point exposures on the front lines as the security team works to limit exposures on a company-wide level.

Newbie2Security: Passwords

A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site.  How do I make sure my passwords are good enough for security, but not forget them continuously?”

Well, passwords are a tough nut to crack these days.  Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords.  Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack.  There’s good news, though, so let’s talk about passwords:

Passwords should be:

1 – Difficult for an attacker to guess

2 – Easy for you to remember

3 – Never re-used

4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)

Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password.  Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.

Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords.  They might be able to manage 1, 2, and 4; but only at the expense of 3.  If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.

The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:

1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected.  This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps.  You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords.  Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself.  1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.

2 – Use a Pass Phrase Instead:  Who says a password has to only be one word?  Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use.  How about “ThisIsMySecureGooglePassword!” for your Google account?  It’s the right length, has upper and lowercase letters, has a special character, etc.  It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.

NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords.  PLEASE think up a passphrase or sentence of your own.

4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever.  If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.

5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone.  It is never necessary for them to do so.  They can access your information via their own methods, and don’t need you to tell them your password in order to do it.  So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info.  Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured.  So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.

Defending yourself with strong, non-reused, passwords is a critical part of online security.  These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of.  Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.

No, I will not disable my ad blocker.

Anyone who uses an ad blocker has no doubt seen the “placeholder” images or text that replace where the advertisement would be on popular websites. These placeholders implore us to turn off our ad blockers to give the site vital revenue, to not starve the website owners of cash. Lately, there have been even more aggressive methods to ask us to turn blocking off – pop-up or interstitial notifications to shut the blocker off, or even full-page-blocking notifications that keep you from seeing anything if an ad blocker is on.

I do not, in principle, have an issue with these notifications. I think companies and individuals who support their sites with advertising have the right to ask us to turn off the tech that keeps them from getting paid and paying their bills. However, I must regretfully inform these sites that I will not be turning off my ad blocking software, and here is why:

Ad networks (the 3rd-party companies that serve up the ads found on most websites these days) have become nothing more than the latest vector for delivering malware of many forms. In the past, an attacker had to compromise the site itself through security holes or brute force in order to turn that site into an attack vector for infecting visitors with various nasty software. Ad networks have allowed attackers to do many multiple times the damage with a fraction of the effort.

Here’s how it works: The attacker buys ad space with a network that allows Javascript or other active-code ad serving. The technology generally allows advertisers to show rich-media ads (which are annoying and should be removed from the internet anyway, but I digress). Rich-media ads have video, audio, and other eye-catching stuff built-in, but require that the website displaying them allow for the scripts to be run. They also require that the browser allow the scripts to run, which ad blockers disable. For a legitimate advertiser and the website owner, this means better conversion rates (the rate at which viewers click on the ad to see the product/service being sold) and rich-media ads have become insanely popular for advertisers themselves; and a requirement for most ad networks to support.

An attacker can create an “advertisement” that has scripting which delivers the payload of their choice. This could be malware or spyware that the user must accept and run, other malware and spyware that requires no user interaction (limiting what it can attack, but making it much more likely to execute), or more recently crypto-currency mining scripts that chew up CPU cycles and can theoretically damage a computer though overheating it. Since the ad network has no way to tell that the malicious ad is any different from any other rich-media ad (because networks don’t bother to police their customers), the ad network serves up the bad ad to hundreds of websites and infects thousands of end-users.

In short, network advertising on websites has become the new way for attackers to deliver their malware.

This “malvertising” has become so prevalent that even giant sites like Showtime have been attacked via malware in ads posted on their sites. The ad networks do nearly nothing to stop the problem, and the site owners cannot stop it short of removing the ad networks’ code from their sites.

So, until such time as ad networks begin to properly police the ads they put up on network sites, or until such time as you – the site owner – remove that code and post ads you know to be non-malicious only; I’m not turning off the ad blocker. I’m sorry that this impacts you, truly I am. However, the situation has reached a point where no site that runs network ads is safe unless that code is blocked from ever running.

PS: I do indeed subscribe to websites that offer quality content without ads, either through Patreon or directly with the site itself. I know that this limits how many sites I can possibly support, but for those that offer great content and don’t attempt to infect my system with their lax code policies, I’m more than willing to put my money where my mouth is.

Outlook for iOS just plain sucks

Recently, I joined a new company that uses Office365 – Microsoft’s cloud-forward platform that they believe will eventually replace the traditional licensing models for the Microsoft Office Suite, Exchange Server, SharePoint and several other products. The idea is good, as it opened the door to Microsoft finally brining its signature office applications (Word, PowerPoint, Outlook, etc.) to more platforms, like iOS devices. Word, Excel, and several others made the jump to my iPhone rather nicely. I’m pleasantly surprised at how well they translated from the big screen on my desktop to the small screen on my mobile devices.

Outlook fell out of the WTF tree and smacked into every single dumb-ass branch on the way down.

First, let’s talk about the interface. On a computer, with a keyboard and mouse, the interface for Outlook for PC and Mac is manageable and useable. I’m not a huge fan of the “put all the menu buttons in one tiny corner” school of UX design, but with keyboard shortcuts it’s a very workable solution for maximizing screen real-estate. Even Outlook for Mac – long the whipping boy for how not to port an application from Windows – the interface is clean, effective, and works. On iOS, the interface is horrible. There are no keyboard shortcuts to jump from mail to calendar to contacts, and some features like the task list are just plain missing. To be fair, tasks sync to the Reminders app in iOS – but only if you also set up your Outlook/Exchange account as an internet account on the phone.

All right, I know what you’re all saying, “It’s a scaled down version for just the essential stuff like email!” Great, let’s look at email:

No font sizing. So basically you’re going to see a set amount of info on each screen, no exceptions. Got an iPhone SE and need a bigger scale to avoid going blind? Too bad. On an iPad Pro and want to shrink stuff down so you can get more on the screen? Sucks to be you. To clarify, I am not talking about the fonts IN the emails – Outlook has little to no control over that if the email has its own formatting. I’m talking about the interface itself and the message previews in your mailbox lists.

No red squiggles. In nearly every other iOS application, when you mis-spell a word that autocorrect doesn’t murder for you (AUTOCORRECT SICKS!); you get a helpful visual indicator that something just ain’t right – the infamous red squiggle underline. It happens in the native mail app, and Airmail for iOS, and honestly every other 3rd-Party email app I’ve tried since iOS 4 was a thing. Outlook can’t get it to happen – or on the few instances they do get it to work it almost immediately stops working again. I’ve changed my keyboard settings, fiddled with autocorrect settings, etc. Nothing gets it to work reliably. Now I do a quick proof-read of emails before I hit send whenever possible because… well… AUTOCORRECT SICKS! but sometimes it’s easy to miss a spelling errer, and the red squiggly lines (like the one that’s glaring at me from that purposeful mistake in the last sentence) are extremely vital to not letting them get sent out.

No S/MIME support. What were they thinking? Outlook on the desktop has supported S/MIME in one form or another since Office 98, and done it reasonably well. Even Outlook for Mac has supported the use of signing certificates since it changed over from Entourage years ago. The native mail app supports S/MIME just fine, so the phone itself is capable of it; and other 3rd-Party mail apps seem to offer at least basic support for it, so it’s not an “Apple locked this feature away for their own use only” issue. But, alas, Outlook for iOS cannot use certificates to sign or encrypt emails, or even recognize that one is in use in an incoming email.

Not all bad news

There are some good points to Outlook for iOS as well. It’s not all doom and gloom. While the sizing is an issue, the interface is at least intuitive enough that I didn’t have to go searching through a knowledge base to figure out where things were. Not having the keyboard shortcuts as on a Mac or PC is annoying, but not something that will completely hobble you. Having email and calendars in one app is a much simpler method than downloading the .ics attachment, opening it in the Calendar app, and finally accepting it (or more often then not, finding out there is a conflict and starting the process over with the updated invite). Direct interoperability with other Office for iOS apps right out of the box is also a strong feature in Outlook’s favor. And having the licensing included in my Office365 subscription – which is handled by the iTunes App Store natively – makes things a lot simpler to manage.

I hope that Microsoft hammers out the kinks in the system. I would personally love to use Outlook for iOS for all of my work-related email; as I always keep work email and personal mail in different apps to avoid confusion and mistakes between accounts. For now though, I have to stick with Airmail for iOS. It doesn’t support S/MIME either, but can talk to Exchange online and does everything else I need except Calendars. For those who are interested, I went with BusyCal for iOS on that front.

Outlook for iOS is a flawed, half-baked product. It shouldn’t be part of the Office for iOS suite, and only serves to drag down what is otherwise a great set of apps that we’ve all been waiting for since Microsoft started looking at mobile devices. Get it together, Microsoft, and give me what I’ve had on the desktop and in other 3rd-Party email apps for years now!

Bailing S3 Buckets

Headlines are breaking out all over the last few weeks about high-profile data breaches caused by company databases and other information being stored in public Amazon Web Services (AWS) Simple Storage Service (S3) buckets. See here and here for two examples. The question I get most often around these breach notices is, “Why does anyone leave these buckets as public, and isn’t that AWS’s fault?” The answer is straight-forward, but comes as a bit of a shock to many – even many who work with AWS every day.

A quick refresher on S3

For those not familiar with S3 or what it is and what it does, basically S3 is an online file system of a very defined type. S3 is a cloud-based Object Storage platform. Object Storage is designed to hold un-structured collections of data; which typically are written once and read often, are overwritten in their entirety when changed, and are not time-dependent. The last one simply means that having multiple copies in multiple locations doesn’t require that they be synchronized in real-time, but rather that they can be “eventually consistent” and it won’t break whatever you’re doing with that data.

S3 organizes these objects into “buckets” – which would be the loose equivalent of a file system folder on more common operating system file systems like NTFS or EXT. Buckets contain sub-buckets and objects alike, and each level of the bucket hierarchy has security permissions associated with it that determine who can see the bucket, who can see the contents of the bucket, who can write to the bucket, and who can write to the objects. These permissions are set by S3 administrators, and can be delegated to other S3 users from the admin’s organization or other organizations/people that have authorized AWS credentials and API keys.

It’s not AWS’s fault

Let’s begin with the second half of the question. These breaches are not a failure of AWS’s security systems or of the S3 platform itself. You see, S3 buckets are *not* set to public by default. An administrator must purposely set both the bucket’s permissions to public, and also set the permissions of those objects to public – or use scripting and/or policy to make that happen. “Out of the box,” so to speak, newly created buckets can only be accessed by the owner of that bucket and those who have been granted at least read permissions on it by the owner. Since attempting to access the bucket would require those permissions and/or API keys associated with those permissions, default buckets are buttoned up and not visible to the world as a whole by default. The process to make a bucket and its objects public is also not single-step thing. You must normally designate each object as public, which is a relatively simple operation, but time consuming as it has to be done over and over. Luckily, AWS has a robust API and many different programming languages have libraries geared toward leveraging that API. This means that an administrator of a bucket can run a script that turns on the public attribute of everything within a bucket – but it still must be done as a deliberate and purposeful act.

So why make them public at all?

The first part of the question, and the most difficult to understand in many of these cases we’ve seen recently. S3 is designed to allow for the sharing of object data; either in the form of static content for websites and streaming services (think Netflix), or sharing of information between components of a cloud-based application (Box and other file sharing systems). In these instances, making the content of a bucket public (or at least visible to all users of the service) is a requirement – otherwise no one would be able to see anything or share anything. So leveraging a script to make anything that goes into a specific bucket public is not, in itself, an incorrect use of S3 and related technologies.

No, the issue here is that buckets are made public as a matter of convenience or by mistake when the data they contain should *not* be visible to the outside world. Since a non-public bucket would require explicit permissions for each and every user (be it direct end-user access or API access); there are some administrators who set buckets to public to make it easier to utilize the objects in the bucket across teams or business units. This is a huge problem, as “public” means exactly that – anyone can see and access that data no matter if they work for your organization or not.

There’s also the potential for mistakes to be made. Instead of making only certain objects in a bucket public, the administrator accidentally makes ALL objects public. They might also accidentally put non-public data in a public bucket that has a policy making objects within it visible as well. In both these cases the making of the objects public is a mistake, but the end result is the same – everyone can see the data in its entirety.

It’s important to also point out that the data from these breaches was uploaded to these public buckets in an unencrypted form. There’s lots of reasons for this, too; but encryption of data not designed for public consumption is a good design to implement – especially if you’re putting that data in the cloud. This way, even if the data is accidentally put in a public bucket, the bad actors who steal it are less likely to be able to use/sell it. Encryption isn’t foolproof and should never be used as an alternative to making sure you’re not putting sensitive information into a public bucket, but it can be used as a good safety catch should accidents happen.

No matter if the buckets were made public due to operator error or for the sake of short-sighted convenience, the fact that the buckets and their objects were made public is the prime reason for the breaches that have happened. AWS S3 sets buckets as private by default, meaning that these companies had the opportunity to just do nothing and protect the data, but for whatever reason they took the active steps required to break down the walls of security. The lesson here is to be very careful with any sensitive data that you put in a public cloud. Double-check any changes you make to security settings, limit access only to necessary users and programs by credentials and API keys, and encrypt sensitive data before uploading. Object Stores are not traditional file systems, but they still contain data that bad actors will want to get their hands on.

What is Ransomware, and how do I stop it?

I get asked this question a lot by folks from all over the tech industry and from non-tech people just as often. Ransomeware is not new, but several extremely high profile attacks (like the “NotPetya” attack in Europe earlier in 2017) have put the topic back on the front burner of most peoples’ minds. With that in mind, let’s take al look at how to answer the question “What is ransomeware, and how do I stop it?”

What is it?

Ransomware is a form of malware – software that is not wanted on your computer and does something detrimental to your machine or the data it holds. This particular form of malware is nastier than most, however. While many virus, trojan, and other types of malware will delete data; ransomware encrypts data on your disk, meaning the data is still there, but totally unusable by you until you decrypt it. The creator of the ransomware is effectively holding your data hostage for money.

Tech Note – Encryption:

Encryption is the process of manipulating the binary data of your files using a cypher of some form to make the data useless to anyone who cannot decrypt it with the appropriate key. Much like converting orders into code before sending them in a war zone, you can encrypt data to make it useless to anyone who doesn’t have the key. This technology lets us safely bank online, save data in the cloud, etc. and is not natively a bad thing to have.

Ransomware arrives as an email attachment, a “drive-by” download from a website (where you visit a website and are prompted to download an executable file), and sometimes it acts as a true worm which infects any computers near one which has fallen victim to the malicious code. Once the infection takes hold on a computer, the malware will look for certain types of files (most often documents, spreadsheets, database files, text files, and photos); and will then encrypt these files in such a way that they are unusable by anyone until the malware author provides you with the decryption key.

The malware creator will offer to send you the key if you pay them the amount of money they are demanding – typically via the crypto-currency Bitcoin. They’ll also provide handy information on how to obtain Bitcoin, and the current exchange rates between the Bitcoin currency and your local currency. These malware authors are of course not going to provide just the helpful information. Along with that info comes a warning that if you don’t pay them by a certain date, your data will become permanently un-decryptable and lost forever. You seem to have only two choices: Pay the ransom or lose your data.

What do you do?

First, don’t panic. The malware creators of the world rely on people getting freaked out and doing anything they say in order to make the problem go away. Take a deep breath, step away from the computer for a moment, and then let’s deal with things.

1 – DO NOT PAY THE RANSOM! I can’t stress this enough, and there are very good reasons why you should never pay the ransom no matter how tempting it might be. First, there is at least a very good chance that the malware creators won’t ever give you the decryption key. It’s depressingly common for malware authors to use ransomware as a tool to steal money; and once the malware is known about, internet service providers and security researchers take steps to remove the ability for them to actually get paid or send you the key anyway. Secondly, negotiating with bad actors only results in more bad actors. If an author of ransomware gets a ton of money from their victims, then other authors will see the money available and write more ransomware to get in on the act.

2 – Check online to see if the ransomware has already been broken. Especially for the older variants of ransomware, there is a chance a security research group has figured out what the decryption key is. Check with your anti-virus/anti-malware provider (Symantec, Sophos, etc.) and legitimate tech sites to see if the key has already been found and made available; and to get instructions on how to decrypt your files with it.

3 – If a decryption key isn’t available, then you will need to restore your data from backups AFTER you clean the malware off your system. Check with your anti-virus/anti-malware vendor or your company’s IT department to find out how to get your system cleaned up; and with your backup provider or IT team to get the last known good version of your files back.

How do we stop it?

Stopping ransomware is not easy, as a successful attack can gain the malware authors quite a bit of money. New variants are popping up often, and some of them can spread themselves from machine to machine once the first few machines are infected via email attachments, etc. So how can you help stop ransomware and make it less profitable for the authors?

1 – DO NOT PAY THE RANSOM! Seriously, this cannot be said often enough. Each time someone pays the ransom, another author sees that they can make money by creating their own ransomware and spreading it around the internet. The first step in stopping the spread of this malware is to make sure there is nothing for the criminals who create it to gain.

2 – Keep your Operating System (OS), anti-virus, and anti-malware software up to date. No matter what OS you use (Windows, Mac, Linux, etc.) you are susceptible to malware of various kinds – including ransomware. Make sure you are regularly updating any desktops, laptops, tablets, and smartphones with OS updates and app updates as they are available. Even if you don’t feel comfortable having the OS keep itself updated automatically, be sure you are manually updating on a weekly basis at least. If you don’t have an anti-malware tool (such as those from Sophos, Computer Associates, etc.), then go download one and get it installed. Keep it updated – either via the tool’s own auto-update feature or just manually checking for updates at least daily. While anti-malware tools cannot catch every single variant of every malware package, they can catch a large number of them and keep you safer than not having one at all.

3 – Back up regularly. Use a tool that stores multiple versions of your files when they change – like Carbonite (disclosure: I’m a Carbonite subscriber and used to work for one of their family of products) or other such tools. This way, if you do get hit with ransomware, you can clean your system and restore last-known-good versions of files that were lost.

4 – Practice common sense internet safety. Don’t open attachments in email messages unless you know exactly what they are, who sent them, AND that they are legitimate. If you’re not sure of all three things, don’t open it – get confirmation from the sender first. Don’t click links in email. Instead, go to the website in question manually in your web browser and then navigate to the information you need. NEVER accept or open any files that automatically download when you load a website. If you didn’t click on it, don’t accept it. Along with that, always go to the vendor page to get new software. For example, if a site says you need a new version of Flash Player, then go to and check for yourself instead of clicking on the link or button.

Protect yourself from ransomware as best as you can by following common-sense internet safety rules, and keeping your system backed up. Never pay the criminals who are holding your data for ransom. Finally, spread the word that ransomware can be stopped if we all work together and take the right precautions!