Frustrate Phone Hackers

The NSA mobile device best practices contains the easiest and best tip for cellphone cybersafety I have heard in years. I’m surprised I had not thought of mentioning it. I regularly tell folks to turn off their computers when they are not using them because it discourages hackers. The same applies to cellphones.

The NSA suggests powering down once a week. I say, more often is better if you can swing it.

Here’s why. Everyone, including criminal hackers, likes a regular work week and hates to waste effort. Just like the rest of us, criminals want a regular, productive five-day, nine-to-five work week. When law enforcement tries to discover the source of a hack, they often identify the time zone of the hacker by looking at file and event dates and times. They know when hackers in China, for one example, like to start and end their day, even when they knock off for lunch.

Now, suppose some ordinary nine-to-five criminal has succeeded in pwning (taken over) your computer or cellphone. They come back from their borsch, pelmeni, and sour cream, raring to resume stripping you bare. They discover your computer has disappeared. Nasty words follow in foreign languages. Do you suppose they will wait patiently for you to power up? Not a chance. Most likely, after having lost a morning’s work getting ready to knock you over, they will not make the same mistake twice. They will move on to easier pickings. If you are lucky, your unreliable habits will annoy the hinks to the point that they throw you on their private “do not hack list.”

Recent trends in hacking make shutting down and restarting even more desirable. For decades, anti-virus and malware tools have relied on file signatures for detecting attacks. The tools scan computer file systems for files with characteristics (names, sizes, time stamps, and embedded sequences of characters) that signify infection. Having identified an infection, the tool moves or removes files and takes other steps to kill the infection.

Hackers know all about the way these tools work and they have responded with more subtle ways of infecting computers. Most of these involve avoiding detectable file changes by injecting nasty stuff into memory— the high-speed short-term information storage that disappears when a computer is rebooted.

And there you have it: power down a computer or phone with that kind of infection and the infection is gone. All that lovely hacking work destroyed. What a shame. Not.

I have regular irregular habits. I have a tablet in our living room that I use occasionally. I regularly shut it off when I’m not using it. Some days, it’s up all day and until late at night. Other days, it’s never up. I have several computers in my office. When the witching hour arrives and I decide to turn in for the night, I power them off. My last act of the day is to shut down and restart my phone. Midnight on the U.S. west coast is 10am in Moscow, a location where a lot of hacking goes on.

The next day, I power up the computers in my office as needed. On days I spend working in the yard or running errands, they may be up only for an hour or two. The point is to include irregularity for hackers into your regular habits.

I’ll end this post with a few other good habits for using smart cellphones:

  • Enable automatic updates whenever possible. Operating system and app vendors discover security vulnerabilities and fix them all the time. Let them help you be safe.
  • Going through the Google, Apple, and Microsoft app stores decreases vulnerability, but does not guarantee that an app will be safe. Frequently installed and favorably reviewed apps are the safest. If you must go outside the app store walled garden, be very very careful.
  • Minimize the number of apps you have installed. If you don’t use an app, remove it. Every app you have installed is a potential security vulnerability. If you don’t use it, why let an app increase the possibility that you will be hacked?
  • Secure your phone. Entering a PIN is a pain but leaving your unsecured phone next to a coffee shop cream pitcher or among the half inch copper elbow fittings at Home Depot could be the prelude to a disaster. I have concerns with biometrics like facial and fingerprint scans, but they are better than nothing if you can’t be bothered with anything more secure. Some phones will unlock your phone when it is at certain locations, like home and work. Consider using that feature.

Periodically restarting your phone is the simplest step you can take. Do it. Wait a day or two. Do it again.

Windows 11? Is Redmond Crazy?

Folks have gotten used to Windows 10. Now Microsoft is pulling out the rug with a new version of Windows. When I heard of Windows 11, my first thought was that the disbanded Vista product team had staged an armed coup in Bill Gates’ old office and regained control of Windows. I haven’t installed Windows 11, although grandson Christopher has. He doesn’t like it.

I think Microsoft has something cooking in Windows 11.

Microsoft releases

New releases of Windows are always fraught. Actually, new releases of anything from Microsoft get loads of pushback. Ribbon menu anxiety in Office, the endless handwringing over start menus moving and disappearing in Windows. Buggy releases. It goes on and on.

Having released a few products myself, I sympathize with Microsoft.

Developers versus users

A typical IT system administrator says “Change is evil. What’s not broke, don’t fix. If I can live with a product, it’s not broke.” Most computer users think the same way: “I’ve learned to work with your run down, buggy product. Now, I’m busy working. Quit bothering me.”

Those positions are understandable, but designers and builders see products differently. They continuously scrutinize customers using a product, and then ask how it might work more effectively, what users might want to do that they can’t, how they could become more productive and add new tasks and ways of working to their repertoire.

Designers and builders also are attentive to advances in technology. In computing, we’ve seen yearly near-doubling of available computing resources, instruction execution capacity, storage volume, and network bandwidth. In a word, speed. 2021’s smartphones dwarf super computers from the era when Windows, and its predecessor, DOS, were invented.

No one ever likes a new release

At its birth, Windows was condemned as a flashy eye candy that required then expensive bit-mapped displays and sapped performance with intensive graphics processing. In other words, Windows was a productivity killer and an all-round horrible idea, especially to virtuoso users who had laboriously internalized all the command line tricks of text interfaces. Some developers, including me, for some tasks, still prefer a DOS-like command line to a graphic interface like Windows.

However, Windows, and other graphic interfaces such as X on Unix/Linux, were rapidly adopted as bit-mapped displays proliferated and processing power rose. Today, character-based command line interface are almost always simulated in a graphical interface when paleolithic relics like me use them. Pure character interfaces still are around, but mostly in the tiny LCD screens on printers and kitchen appliances.

Designers and builders envisioned the benefits from newly available hardware and computing capacity and pushed the rest of us forward.

Success comes from building for the future, not doubling down on the past. But until folks share in the vision, they think progress is a step backwards.

Is the Windows 11 start menu a fiasco? Could be. No development team gets everything right, but I’ll give Windows 11 a spin and try not to be prejudiced by my habits.

Weird Windows 11 requirements

Something more is going on with Windows 11. Microsoft is placing hardware requirements on Windows 11 that will prevent a large share of existing Windows 10 installations from upgrading. I always expect to be nudged toward upgraded hardware. Customers who buy new hardware expect to benefit from newer more powerful devices. Requirements to support legacy hardware are an obstacle to exploiting new hardware. Eventually, you have to turn your back on old hardware and move on, leaving some irate customers behind. No developer likes to do this, but eventually, they must or the competition eats them alive.

Microsoft forces Windows 11 installations to be more secure by requiring a higher level of Trusted Platform Module (TPM) support. A TPM is microcontroller that supports several cryptographic security functions that help verify that users and computers are what they appear to be and are not spoofed or tampered with. TPMs are usually implemented as a small physical chip, although they can be implemented virtually with software. Requiring high level TPM support makes sense in our increasing cybersecurity compromised world.

But the Windows 11 requirements seem extreme. As I type this, I am using a ten-year-old laptop running Windows 10. For researching and writing, it’s more than adequate, but it does not meet Microsoft’s stated requirements for Windows 11. I’m disgruntled and I’m not unique in this opinion. Our grandson Christopher has figured out a way to install Windows 11 on some legacy hardware, which is impressive, but way beyond most users and Microsoft could easily cut off this route.

I have an idea where Redmond is going with this. It may be surprising.

Today, the biggest and most general technical step forward in computing is the near universal availability of high capacity network communications channels. Universal high bandwidth Internet access became a widely accepted national necessity when work went online through the pandemic. High capacity 5G cellular wireless network are beginning to roll out. (What passes for 5G now is far beneath the full 5G capacity we will see in the future.) Low earth orbit satellite networks promise to link isolated areas to the network. Ever faster Wi-Fi local area networks offer connectivity anywhere.

This is not fully real. Yet. But it’s close enough that designers and developers must assume it is already present, just like we had to assume bit-mapped displays were everywhere while they were still luxuries.

What does ubiquitous high bandwidth connection mean for the future? More streaming movies? Doubtless, but that’s not news: neighborhood Blockbuster Video stores are already closed.

Thinking it through

In a few years, every computer will have a reliable, high capacity connection to the network. All the time. Phones are already close. In a few years, the connection will be both faster and more reliable than today. That includes every desktop, laptop, tablet, phone, home appliance, vehicle, industrial machine, lamp post, traffic light, and sewer sluice gate. The network will also be populated with computing centers with capacities that will dwarf the already gargantuan capacities available today. Your front door latch may already have access to more data and computing capacity than all of IBM and NASA in 1980.

At the same time, ransomware and other cybercrimes are sucking the life blood from business and threatening national security.

Microsoft lost the war for the smartphone to Google and Apple. How will Windows fit in the hyperconnected world of 2025? Will it even exist? What does Satya Nadella think about when he wakes late in the night?

Windows business plan

The Windows operating system (OS) business plan is already a hold out from the past. IBM, practically the inventor of the operating system, de-emphasized building and selling OSs decades ago. Digital Equipment, DEC, a stellar OS builder, is gone, sunk into HP. Sun Microsystems, another OS innovator, is buried in the murky depths of Oracle. Apple’s operating system is built on Free BSD, an open source Unix variant. Google’s Android is a Linux. Why have all these companies gotten out of or never entered the proprietary OS development business?

Corporate economics

The answer is simple corporate economics: there’s no money in it. Whoa! you say. Microsoft made tons of money off its flagship product, Windows. The key word is “made” not “makes.” Making money building and selling operating systems was a money machine for Gates and company back in the day, but no longer. Twenty years ago, when Windows ruled, the only competing consumer OS was Apple, which was a niche product in education and some creative sectors. Microsoft pwned the personal desktop in homes and businesses. Every non-Apple computer was another kick to the Microsoft bottom line. No longer. Now, Microsoft’s Windows division has to struggle on many fronts.

Open source OSs— Android, Apple’s BSD, and the many flavors of Linux— are all fully competitive in ease of installation and use. They weren’t in 2000. Now, they are slick, polished systems with features comparable to Windows.

To stay on top, Windows has to out-perform, out-feature, and out secure these formidable competitors. In addition, unlike Apple, part of the Windows business plan is to run on generic hardware. Developing on hardware you don’t control is difficult. The burden of coding to and testing on varying equipment is horrendous. Microsoft can make rules that the hardware is supposed to follow, but in the end, if Windows does not shine on Lenovo, HP, Dell, Acer, and Asus, the Windows business plunges into arctic winter.

With all that, Microsoft is at another tremendous disadvantage. It relies on in house developers cutting proprietary code to advance Windows. Microsoft’s competitors rely on foundations that coordinate independent contributors to opensource code bases. Many of these contributors are on the payrolls of big outfits like IBM, Google, Apple, Oracle, and Facebook.

Rough times

Effectively, these dogs are ganging up on Microsoft. Through the foundations— Linux, Apache, Eclipse, etc.—these corporations cooperate to build basic utilities, like the Linux OS, instead of building them for themselves. This saves a ton of development costs. And, since the code is controlled by the foundation in which they own a stake, they don’t have to worry about a competitor pulling the rug out from under them.

Certainly, many altruistic independent developers contribute to opensource code, but not a line they write gets into key utilities without the scrutiny of the big dogs. From some angles, the opensource foundations are the biggest monopolies in the tech industry. And Windows is out in the cold.

What will Microsoft do? I have no knowledge, but I have a good guess that Microsoft is contemplating a tectonic shift.

Windows will be transformed into a service.

Nope, you say. They’ve tried that. I disagree. I read an article the other day declaring Windows 11 to be the end of Windows As A Service, something that Windows 10 was supposed to be, but failed because Windows 11 is projected for yearly instead of biannual or more frequent updates. Windows 11 has annoyed a lot of early adopters and requires hardware upgrades that a lot of people think are unnecessary. What’s going on?

Windows 10 as a service

The whole idea of Windows 10 as a service was lame. Windows 10 was (and is) an operating system installed on a customer’s box, running on the customer’s processor. The customer retains control of the hardware infrastructure. Microsoft took some additional responsibility for software maintenance with monthly patches, cumulative patches, and regular drops of new features, but that is nowhere near what I call a service.

When I installed Windows 10 on my ancient T410 ThinkPad, I remained responsible for installing applications and adding or removing memory and storage. If I wanted, I could rename the Program Files directory to Slagheap and reconfigure the system to make it work. I moved the Windows system directory to an SSD for a faster boot. And I hit the power switch whenever I feel like it.

Those features may be good or bad.

As a computer and software engineer by choice, I enjoy fiddling with and controlling my own device. Some of the time. My partner Rebecca can tell you what I am like when a machine goes south while I’m on a project that I am hurrying to complete with no time for troubleshooting and fixing. Or my mood when I tried to install a new app six months after I had forgotten the late and sporty night when I renamed the Program Files directory to Slagheap.

At times like those, I wish I had a remote desktop setup, like we had in the antediluvian age when users had dumb terminals on their desks and logged into a multi-user computer like a DEC VAX. A dumb terminal was little more than a remote keyboard with a screen that showed keystrokes as they were entered interlaced with a text stream from the central computer. The old systems had many limitations, but a clear virtue: a user at a terminal was only responsible for what they entered. The sysadmin took care of everything else. Performance, security, backups, and configuration, in theory at least, were system problems, not user concerns.

Twenty-first century

Fast forward to the mid twenty-first century. The modern equivalent of the old multi-user computer is a user with a virtual computer desktop service running in a data center in the cloud, a common set up for remote workers that works remarkably well. For a user, it looks and feels like a personal desktop, except it exists in a data center, not on a private local device. All data and configuration (the way a computer is set up) is stored in the cloud. An employee can access his remote desktop from practically any computing device attached to the network, if they can prove their identity. After they log on, they have access to all their files, documents, processes, and other resources in the state they left them, or in the case of an ongoing process, in the state their process has attained.

What’s a desktop service

From the employees point of view, they can switch devices with abandon. Start working at your kitchen table with a laptop, log out in the midst of composing a document without bothering to save. Not saving is a little risky, but virtual desktops run in data centers where events that might lose a document are much rarer than tripping on a cord, spilling a can of Coke, or the puppy doing the unmentionable at home. In data centers, whole teams of big heads scramble to find ways to shave off a minute of down time a month.

Grab a tablet and head to the barbershop. Continue working on that same document in the state you left it instead of thumbing through old Playboys or Cosmos. Pick up again in the kitchen at home with fancy hair.

Security

Cyber security officers have nightmares about employees storing sensitive information on personal devices that fall into the hands of a competitor or hacker. Employees are easily prohibited from saving anything from their virtual desktop to the local machine where they are working. With reliable and fast network connections everywhere, employees have no reason to save anything privately.

Nor do security officers need to worry about patching vulnerabilities on employee gear. As long as the employee’s credentials are not stored on the employee’s device, which is relatively easy to prevent, there is nothing for a hacker to steal.

The downside

What’s the downside? The network. You have to be connected to work and you don’t want to see swirlies when you are in the middle of something important while data is buffering and rerouted somewhere north of nowhere.

However. All the tea leaves say those issues are on the way to becoming as isolated as the character interface on your electric teapot.

The industry is responding to the notion of Windows as a desktop service. See Windows 365 and a more optimistic take on Win365.

Now think about this for a moment: why not a personal Windows virtual desktop? Would that not solve a ton of problems for Microsoft? With complete control of the Windows operating environment, their testing is greatly simplified. A virtual desktop local client approaches the simplicity of a dumb terminal and could run on embarrassingly modest hardware. Security soars. A process running in a secured data center is not easy to hack. The big hacks of recent months have all been on lackadaisically secured corporate systems, not data centers.

It also solves a problem for me. Do I have to replace my ancient, but beloved, T410? No, provided Microsoft prices personal Windows 365 reasonably, I can switch to Windows 365 and continue on my good old favorite device.

Marv’s note: I made a few tweeks to the post based on Steve Stroh’s comment.

More on Colonial Pipeline Ransomware

Yesterday, I predicted that slugging taxpayers in the wallet would inspire some action against cybercrime. I may have been right.

Score 1 far Colonial Pipeline’s competent IT department, rotten tomatoes to the management team that decided to knuckle under.

First, Bloomberg reported that the ransom had been paid, but the decryption tool, which was bought with a nearly $5 million ransom, was slower than restoring the system from backups. Score 1 far Colonial Pipeline’s competent IT department, rotten tomatoes to the management team that decided to knuckle under.

I must note that Bloomberg’s statement that the backups were faster has not been confirmed that I can find in other sources. Bloomberg has argued that paying ransomware pirates is bad policy. I agree.

Paying ransoms encourages criminals to go back for more. Recovering from backups is often cheaper and more effective.

A well-prepared IT department that encourages good security practices, like strong passwords and phishing awareness, is stronger enterprise protection than funds set aside to pay ransoms.

Think about this: after the ransom is paid, what incentive does a hacker have to develop a quick and efficient tool to reverse the damage? I expect hacking shops have a quality assurance program as good as any development shop for the shut down side of the business, but I’ll also bet that untested code straight from a developer’s desk is good enough for a recovery tool. That buggy recovery tool is what the ransom pays for. Doesn’t sound like a good deal to me.

Solid basic IT administration is based on disaster preparedness. A well-prepared IT department that encourages good security practices, like strong passwords and phishing awareness, is stronger enterprise protection than funds set aside to pay ransoms.

“We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”

President Joe Biden, remarks on pipeline incident, 5/13/21

The news I found most interesting came from Bruce Krebs (no connection with the former homeland security cybersecurity policy director, Christopher Krebs.) Krebs was not the only source of the information, but he gathered up the reports from several sources.

Apparently, DarkSide, the outfit behind the Colonial hack, has been closed. The story is a bit confused yet, but it starts with DarkSide posting on their site or the dark web that they will be nicer in the future. Right. Not long after, their bitcoin account was emptied and several of their servers were shut down, effectively putting them out of business.

Who shut DarkSide down is not clear. They may have done it themselves out of fear of government reprisals. Or the shutdown may have been a government reprisal. If it was a reprisal, previously unknown techniques were used.

We will have to wait to find out. However, I note this line in President Biden’s remarks Thursday on the incident: “We’re also going to pursue a measure to disrupt their ability to operate.  And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”

If the shutdown of DarkSide was in fact the result of U.S. Department of Justice actions, we are finally seeing a serious federal response to cybercrime.

Serious Ransomware: Colonial Pipeline

Last Friday, Colonial Pipeline, the operator of the largest petroleum pipeline between Texas and New Jersey, was struck with ransomware. Today, U.S. gasoline prices are the highest since 2016 and pumps are empty on the east coast; a direct consequence of the hack.

If you have followed my posts on ransomware and cybersecurity in general, you know that I rant on the dangerous condition of industrial cybersecurity in the U.S. Maybe Cassandras like me will get some attention now that disregard for cybersecurity has slugged the average taxpayer in the wallet.

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses.

Colonial Pipeline

Colonial says they will be back in operation by the end of the week. We will see. The average ransomware recovery time is over 15 days, which predicts another week of disruption. Time to recover depends on a number of things. The size of the enterprise matters; the more complex and extended the system, the longer it takes to bring the system back. Recovery also depends on how prepared Colonial’s IT team is for a ransomware attack. I notice the Dow is dropping today, probably due to gas shortage jitters, which suggests that the smart guys on Wall Street are not confident of a quick recovery from Colonial.

Colonial is big and complex. It is not clear whether Colonial’s pipeline supervisory control and data acquisition (SCADA) was penetrated by the hack, but the pipeline was forced to shut down, which suggests the attack went beyond the usual accounting and HR systems.

Here in Whatcom County, we had some experience with a pipeline SCADA failure in 1999 when 200,000 gallons of gasoline flowed into Whatcom Creek and caught fire. A fisherman and two boys playing along the creek died. Property damage was at least $45 million. The direct cause was accidental damage to the pipe from excavation years earlier, but National Transportation Board investigation concluded that the spill could have been prevented if the SCADA had functioned properly. There were clues that the SCADA system had been hacked, but not enough evidence to be certain. (I discuss SCADA vulnerabilities in some detail in my book, Personal Cybersecurity.)

DarkSide

The FBI reports that the attack came from a Russian group called DarkSide. The group is not known to be directly affiliated with the Russian government, but the government turns a blind eye to DarkSide attacks on non-Russian interests. Effectively, DarkSide operates like a 18th century privateer on the high seas marauding foreign shipping with royal protection. The DarkSide group offers ransomware software for use by others. Who else may be involved has not been reported.

Who’s to blame?

Blaming Colonial for the breach may come easy. My personal experience with industrial cybersecurity is not good. Industries with high fences and tight physical security, like energy corporations, are often dismissive of cybersecurity threats, preferring to rely on their raw physical defenses. Colonial may be the exception, but I’m reminded of the recent SolarWinds hack that was the result of a totally avoidable bonehead password mistake. If something similar emerges, Colonial’s IT department will be roasted on a spit.

Nevertheless, I am sympathetic. Colonial Pipeline and many other ransomware victims are being attacked with the aid of a foreign government. Of course they bear some responsibility for their own security, but when a foreign government attacks, they should reasonably expect that government resources will lead the defense.

If a refinery were threatened by incoming ballistic missiles from North Korea, we would look to the Department of Defense to deflect the attack. We would see the missiles as an attack on our nation. Would anyone fault a corporation for building a refinery without an anti-missile defense system? They would be in trouble if they tried!

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses. Today, responsibility for cyber defense is divided between the Department of Defense, Homeland Security, and other agencies, including the National Institute of Standards and Technology (NIST) in the Department of Commerce.

How we lose

This is the way to lose. Ransomware is just one manifestation of the ways in which nations are attacking on the cyber front. North Korea steals cash. China steals intellectual property on covid-19. Russia disrupts pipelines. These are existential threats. A disconnected defense is suicide by disorganization.