The FCC Net Neutrality Act Pits Free Speech vs. Bots: The Machines are Winning!

Well, It looks like a free and Open Internet is looking like a Terminator Movie pitting average individuals ability to comment on lawa and regulations that are the life’s blood of Democracy vs.  un identifed Special actors that wish to skew the FCCs view of what the Public thinks by flooding it with comments submitted by automated bots.

The Humans

With an issue like this you would think that it would be some group like the EFF or ACLU.  No, the man leading the charge is John Oliver.

 

John’s  Last Week Tonight show on HBO presented a story on how Ajit Pai, new head of the FCC, is looking to reverse the Net Neutrality protections under the Obama Administration. Pai has open comment on ending the Title 2 provisions of the current regulations.  He place a form to elicit public comment on the FCC website buried several layers deep so that most people would be hard pressed to find it.

In his typical half satrical / half activist manner, John Oliver provided a short cut to the page under the domain www.gofccyourself.com imploring people to go and post against Pai’s move to allow Internet Service Providers to give preference to some company sites over others while you are looking at a spinning circle or hourglass waiting for your web page to come up.

The Machines

Within a couple of days of the show, news reports surfaced that the FCC site was under a Bot attack posting comments calling for the proposed changes.

Anti-net neutrality spammers are flooding FCC’s pages with fake comments 

There comment all 128,00 of them and counting say:

The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation,” the comment says. “I urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.”

The reason people are sure that it is a Bot attack is because the comments were exactly the same.

What is at Stake

As a strong proponent of Net Neutrality,
I see it as an extension of the right of free speech and free Enterprise on an individual level

Imagine calling your favorite pizza place getting a message to try later, but having no problem getting through to Domino’s or Papa John’s.  This analogy might be lost on the rest of the Nation, but New Yorkers know what I am talking about. Oh you know, you definitely know.

Who’s Winning?

That is how important this issue is, but you can’t when you go to the link, you receive this message which refers to the this FCC announcement:

 

GUIDANCE ON THE FCC’S SUNSHINE PERIOD IN THE RESTORING INTERNET FREEDOM PROCEEDING

You can only email or call your comments to:

ECFSHelp@fcc.gov  or at 202-418-0193.

The Machine are Winning!

Senate Votes 50-48 To Allow ISPs To Sell Your Data

The U.S. Senate voted 50-48 to eliminate the FCC’s new privacy rules, which were supposed to go into effect soon. Killing these rules would mean that ISPs will be able to freely track your online behavior and then sell your data to advertisers.

Source: Senate Votes 50-48 To Allow ISPs To Sell Your Data

 

In a continuing trend of the loss of individual control of Data Privacy, the Senate has voted to overturn the FCC rules requiring your Internet Service Providers to get your permission to use your data such as email address, browsing activity, and location so that they can sell it to whomever they want.

What Was Overturned?

Below are the basic premises that the vote overturned:

• Require internet service providers (ISPs) to ask for permission before collecting sensitive information such as content of communications, precise geo-location, financial information, and more

• Allow users to opt-out of giving ISPs non-sensitive information such as email addresses

• Only allow ISPs to collect basic service information without which the service couldn’t be provided without any kind of consent from their customers

• Notify customers within 30 days that their data has been stolen in a data breach

When you read this list, it seems pretty reasonable. It primarily said that you pay for a service and the information about you using that service can’t be collected and distributed you saying so, and if that data is stolen, you are told about it.

The Cable companies claimed they are on unequal footing with companies like Google and Facebook who are held to less stringent FCC requirements.  I find this argument weak in two respects.

 1) Most of those services are “free” services in that they do not charge you a monetary fee.  They make their money on your data, and are somewhat up front about it.  Your internet provider charges you a fee based on a level of service.  Why should they get to double-dip on their captive audience?

2) While you might find it difficult, you can avoid those services if you wish to. They offer you the option to “opt-out’ , although you probably won’t be able to access the service   There are other search engines, and social media services you can choose.    You can even employ Tor browsers and VPN services to anonymity your online activity.  Changing your internet provider is a difficult , if you have options in your market.

Fifty Senators voted to remove these protections from individuals.  Thankfully, neither of my Senators did.  Now many will argue, but I believe that you pay for that Right to Privacy.  If it is not under the 9th Amendment, it probably is under the 4th Amendment (the right of a person to be secure within their home).  If you don’t think that  you are entitled, look at your Cable/Internet and Cellphone Bill (that’s right your phone activity is included in ruling as well).  You Pay for that right and the freedom to give information about yourself when you see fit.

 

What do this Mean to Us?

What this means to the average consumer?

• More Spam mail
• More advertisements
• Greater risk of your data exposed to data breaches

Will costs go Down?  Not likely.  Even though the data is your asset, there is nothing to compel your internet service provider to pay you back.  Even the power company has to pay you, by law, if your generate .  Your data is powering the on-line business economy.  Shouldn’t these utility providers be held to the same standard?

 

 

 

There’s an app for that (but it might be fake) | Consumer Information

Last night the Department of Homeland Security posted an Alert concerning the Rise of “Fake” Mobile apps and the risks they pose to Consumers.

The Federal Trade Commission (FTC) has released an alert on fraudulent mobile apps designed to exploit consumers. Some fake apps may steal personal information such as credit card numbers. By taking precautions, users can protect themselves and their private data.

US-CERT encourages users and administrators to refer to the FTC Scam Alert and background article on Understanding Mobile Apps. For more information, see the US-CERT Tip on Cybersecurity for Electronic Devices.

Here is the Link the FTC Article.   There’s an app for that (but it might be fake) | Consumer Information  .

I would also suggest reading their Background article on Mobile Apps.  Understanding Mobile Apps

Before going to the App Store, the FTC suggests going to the website of the the company or organization who the app is supposed to belong to, verifying that they publish an app, and follow their link for it to the Store.

The FTC also suggests a web search with the Company’s name and “fake app”.  I did a couple of searches and I came across articles and published statements, and White papers but nothing in terms of a resource that the average consumer could use.  I looked to see if there a list of the fake apps out there.  I have yet to come across hopefully, because they are taken down as soon as they are identified. Also, I yet to find anything yet on what happens to remediate devices that already have fake apps loaded on to them.

It will be interesting to see if Google and Apple’s respond to this since both claim that they review the apps.  I listed their policies below:

Apple App Store Review Guidelines.

Google Play App Deployment Policy Guidelines

In my post on The Value of Augmented Reality, I touched up how we give up Privacy for convenience.  Nowhere is that more prevalent than with Mobile Apps.  Many of us will either be in a store, mall, or by word of mouth download an app and use it.  Now you might not just be giving up your information, but your hard-earned money.

A little checking might go a long way in keeping your Holiday Season Happy.

 

In 2017, your phone’s camera will have superpowers

 

Commentary: if you’re wondering where phones are heading next year, think magic 3D-scanning cameras. Here’s what I learned from using Google Tango for a few weeks.

Source: In 2017, your phone’s camera will have superpowers

Introducing VR and 360° Content for All WordPress.com Sites — The WordPress.com Blog

Create and publish 360° videos and photos right on your site.

via Introducing VR and 360° Content for All WordPress.com Sites — The WordPress.com Blog

2 Weeks Before Google’s Naughty List Starts

      

If you celebrated Christmas, there was always the twinge of doubt as a kid whether you were on Santa’s Nice list, (or Naughty perish the thought).  Now, you get to have that same feeling, but this time it’s Google making the list starting in January.  And whether you are involved in managing a website or just “colateral damage”, you might get the digital equivalent of coal in your stocking.

How Google Chrome is Pushing the Move to More Secure Web Browsing

In 2014, Google started putting forward the idea that all web communications should be secure.  They backed this up by using a pages security as a factor in its search ratings and called on the community to move to encrypted communications.  The goal of this proposal is to more clearly display to users that HTTP provides no data security.

We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure.

 

Back in September, Google announced that their upcoming release of Chrome 56 will start noting which sites were not secured by SSL. Chrome use is estimated at 74% browser Market.   Google’s announcement is only supposed to affect pages that contain credit card information and password fields. Supposedly, this will be posted page by page, but an insecure note will also appear on the top level page of the site.  In addition, Google is going to report insecure warnings on sites that looking for those sites that are secured by  Sha-1 due to the vulnerability of the algorithm. Now, the deadline is almost here.

 

This will be followed up by Google’s call that will report only digital certificates that meet it Certificate Transparency by October 2017 

For most larger companies, that run their own websites and have security programs, they probably already have updated their sites, although there are examples to the contrary. The people these enhancements might see a greater impact are small businesses, small non-profits and bloggers who might be running their own sites and have not thought about securing them, or it is not offered in their current hosting plans.

What our your options?

Do Nothing

Maybe you don’t care that your site will be branded as insecure, move down the search ranks, or you don’t do ecommerce.  That might be okay for now, Google’s plan is to eventually block all non-secure traffic.  So far, there has been no announced date when it will be implemented.

Purchase a Certificate

Depending on your hosting company, many hosting companies offer the .  I have seen them run from $50 to $300 per year.  If you have multiple domains, some of these vendors offer package deals .  There are also the traditional services like Verisign and Entrust who have been creating and verifying certificates for decades.  If you do purchase one, make sure that they will adhere to Certificate Transparency.

Obtain a free certificate from a Certificate Authority

There are several options to obtain a free  SSL certificate.  Let’s Encrypt one of the fastest growing options, is an open certificate issuing authority is run by the Internet Security Research Group (ISRG)  It is supported by a number of companies including Cisco, HP, Mozilla, Facebook, Shopify, GoDaddy, Squarespace, and Google Chrome.  The impact of Let’s Encrypt on the SSL certificate market on the SSL certificate market is having a sizable impact.  According to Let’s Encrypt, they have issued over 5 million certificates.  While there might not be an economic charge, it does not come without a cost.  The certificate is for non-commercial use and is only valid for 3 months meaning that you would need to renew it 4 times a year.  Let’s Encrypt says that this is by design to ensure that unused and unmanaged certificates are expired relatively quickly.

Installing and requesting a Let’s Encrypt Certificate

Usually, certificate installation requires some technical expertise.  To set up a Let’s Encrypt certificate you need to to install Git, the source code management tool.  I was doing this work on a Ubuntu test server that was set up to host websites.  The Git install was a little bumpy because a number the required packages that Git assumed would be on the server were not present.  Once I ironed out the issues with Git, I was ready to start the Let’s Encrypt install.

The Let’s Encrypt install comes down to three steps:

• Clone the Let’s Encrypt Git package

sudo git clone https://github.com/letsencrypt/letsencrypt

• Install the Lets’ Encrypt installation files

./letsencrypt-auto –help

• Request a certificate.

./letsencrypt-auto –apache -d your domain name

The command above is if you are installing on an Apache webserver.  There are options for nginx, webroot, and a standalone option as well.

You need to accept their Subscriber Agreement before the certificate request will continue.  Once accept the agreement, you will also have to make a decision whether you will force all traffic to be HTTPS or if you will allow a combination of HTTP and HTTPS. This decision is a little more complicated considering Google’s plans to ensure make the Internet more secure.

• Allowing HTTPS traffic only can be more disruptive to your users initially, but users who have bookmarked your site or hyperlinked to it might find that their links no longer work.  (You can makes changes to the .htaccess file on your server to re-point HTTP traffic to HTTPS). 
• Allowing a combination of HTTP and HTTPS traffic exposes your site to Google’s crackdown on HTTP and “insecure” algorithms, which there is no set schedule.

I liken it to whether you prefer to peel the band-aid off slowly with less pain longer or just rip it off and get the pain over with.

Let’s Encrypt recognizes that the most people  not really excited about having to manually renew their certificates every three months so there is a command line statement that can be set up as an automated job. They offer instruction on how to set it up in their User Guide.

How this affects You

Forewarned is forearmed .  If you are a Chrome user, you will most likely see this play out in some fashion.  It won’t happen all at once either.  It will roll out as people start to update their browsers .So whether its little red lines showing up on your browser or a security message on your browser where you expected page information to be, it is another little annoyance that we must endure in constantly connected, and always under attack world of Cyberspace.

 

Yahoo Hack Exposes 500 Million Accounts

 

News came out that Yahoo had a data breach in 2014 that exposed the Names, email addresses and date of birth.  One particularly disturbing bit of information is that hash  data as well as the Security question information was also exposed.

Yahoo warns users at least 500 million accounts were hacked

Yahoo claims that the attack was from a “state-sponsored’ organization and that they are no longer in Yahoo’s systems.  The attack came to light in August, a week after the announcement of Verizon’s purchase of Yahoo, but was only reported now that Yahoo knew the full extent of the exploit.

Verizon Announces $4.8 Billion Deal for Yahoo’s Internet Business

 

In their security statement, Yahoo is suggesting that users changes their passwords if they have not done so since 2014.  They have invalidated users security questions, and they are suggesting that you review all account activity, even your financial accounts, for irregular activity.

Account Security Issue FAQs

They are suggesting that users use Yahoo’s Account Key to store all your passwords, which in Yahoo’s case might be like putting the fox in charge of the hen house. (or at least collecting all the eggs and telling the foxes they are all here!).

Do you want to trust all of your on-line account information to someone who had a data breach and did not know or report it for 2 years?.  If you want to pursue this route there are other services that you can look at to protect yourself and your data.

Regardless, this type of service would not have help protect you from being exposed.  Will Verizon’s takeover help Yahoo’s services or expose Verizon’s?

 

The Value of Augmented Reality

    

 

Augmented Reality has been around round for a while. First starting in the military as Head’s Up Displays (HUD), to Cadillac windshields to Google Glasses.  But it never really took off in the Consumer market until a bunch of almost forgotten Pocket Monsters got the world to sit up and take notice of the possibilities that these technologies offer.

Janus recently published an article discussing the value that it Pokemon Go, the Technology that it employs. and its implications in being a market disrupter.

Insights in Action | Pokémon Go: Going Beyond Gaming

The article discusses how companies are adjusting their Marketing strategies to take advantage of the popularity of the game and the advertising opportunities it offers.  This trend is something that Niantic and it Poké-Partners are hoping to cash in on. And it seems that it is achieving phenomenal success.  In the first 2 weeks of July, the app grossed $14.4M.   Those figures have increased to $200M in sales through is first month.  This almost half of of the $584M annual estimate that was predicted only a couple of weeks ago.

The End of Privacy

Will this level of activity be sustainable for Pokémon Go?  Probably not.  What is more likely, and where Yettick and Wheaton see the value for their investors is that augmented reality is being adopted and embraced.  Yettick and Wheaton say that Pokémon Go is the first mainstream augmented reality application.

In order for augmented reality to be effective, it needs:

Constant Access to Location – for augmented reality, to be effective, your device need to know exactly where you are.  That means leaving on GPS and wifi location services that costs in data charges and battery life.  While battery life keeps getting better, it is not keeping pace with the demands that we place on our devices (How to Geek: HTG Explains Why is Smartphone Battery Life So Bad).  A market has crop up for battery add-ons to allow us to charge our devices on the go. GPS accuracy has improved dramatically since it’s civil introduction in the 1990’s  and the Government continually increases the accuracy (http://www.gps.gov/systems/gps/performance/accuracy/).

 

It needs to know who you are – The knowing who you are is pretty much a fait accompli.  As we give more of our selves over to the net, we provide this information. Every time we get a store membership card, we download a “free” app or service, or we post an update to our friends over social media, we provide the information of “who we are” to those willing to pay for privilege or for free if you are willing to work for it.  Using big Data tools like Hadoop and tapping into Twitter and tapping into API feed from Social Media engines like Twitter and Facebook,

It needs infrastructure to put it all together – In the developed world and major metropolitan ares, the infrastructure largely exist.  Companies like GSMA Intelligence and Open Signal, who track the Global Data market, estimate that there are over 4.7 billion subscribers and coverage infrastructure rates over 60% in developed nations.  LTE network coverage exists in  148 countries with 10 more scheduled to go online.,

The components are there for the first and the the third item.  With the second item, we have provide the information and continues to do so.

How Has Advertising Lived Up to ‘Minority Report’?

I remember watching the scene in the Minority Report where Anderton is walking through the subway stations and he is being pursued by a barrage of targeted ads.  By the end of the scene, there was a feeling of dread .  That was 2002.  Now, 14 years later that scenario is much more real.  With every app we app we download, with every ad we click, and with every rewards card we collect,we move closer towards that reality.  The difference is that while our ads aren’t talking to us, we are bombarded with targeted ads.

https://www.youtube-nocookie.com/embed/7bXJ_obaiYQ?rel=0
This video will probably display an ad or at least provide some text to link to an ad.  Your browser will probably show you ads for products and services that based on your collected profile.  The work to opt out and adjust your privacy settings

From a business perspective, companies are all in.  Any business can go in on Facebook and Google, define a budget and relatively easily to start. Price Waterhouse Coopers estimates that Internet advertising will grow 9% by 2018.  VB Insight reports that companies plan to increase their Data Analysis spending 73% over the next 3 years.

Millennials and the Gen Z or iGeneration have made that decision to give their privacy.  Many live their lives as a matter of public record ( Why Millennials Don’t Worry That Much About Online Security ).  They are early adopters of technology to the extent that the a Pew Research study said that 8 out of 10 Millennials take their cell phones to bed.  Millennials are now displacing the Baby Boomers as the most populous age group in the US .   These trends bodes well for data that Augmented Reality needs to be effective and for companies who find themselves in an increasingly competitive environment to get customer’s attention.

In Summary

Based on the shifting demographics and the saturation of mobile devices, augmented reality technologies have a bright future.  People are becoming increasing time constrained and reliant technology, particularly mobile devices, to find information.  Companies are increasingly attracted to them as a method to get their names and products in front of customers.  Ultimately, what is going to drive augmented reality isn’t just going to be the devices that deliver that experience, but the continuing trend of people will to give up more of themselves for convenience sake.

 

 

 

 

Is WordPress Site Vulnerability a Given?

On Friday June 3rd, US CERT issued and alert for a vulnerability to the WordPress Mobile Detector Plugin.  The plugin provides responsive capabilities to detect and support mobile devices.  US Cert says that the exploit is due to the fact that the plugin leaves the php configuration option allow_url_fopen enabled by default, which allows remote code execution.   They recommend for users to disable it if it is not explicitly needed.

WP Mobile Detector Vulnerability

Why Post on alert, they come out all of the time?

From direct experience in hardening and managing a WordPress site, they seem to be pretty easy to exploit and there are a lot of them.  While the numbers are a little hard to nail down, the consensus is that 26.4% of all websites are Word Press sites or around 74 million sites, are powered by WordPress.  About half of which are managed by WordPress.com.  That means that 37 million sites could be “low hanging fruit” for hackers to exploit.

In the experience that I had trying to harden the site (not this one!), there were several issues that lead to Cross-site scripting exploits and storing pages for other sites to direct their users to other sites that adversely affected the site’s on-line reputation, and temporarily brought the site down.

What is the problem?

Software

A lot of it stemmed from open controls and old / unpatched software.  WordPress relies on php and a database which is usually powered by MySQL. Based on WordPress statistics,   61% are sites running on deprecated php versions (under 5.5). and 37% of deprecated MySQL (under 5.5.0).  That is a lot of sites running old software!  In the case of this site, most of the issues resulted from the deprecated php version.  Once that was updated, we were able to move from being reactionary to being proactive in locking down the site.

Another answer is patching updating your WordPress software versions and patching  your plugins and themes.  The WordPress dashboard makes it pretty easy to identify when a plugin or theme needs to be updated.  Based on the statistics,  a lot more of WordPress sites are up to date when it comes to core system.  WordPress is reporting that 58.3% of their sites are either on the current version that came out about 2 month ago of or the previous version.  I imagine that this is more a result of people looking for the new features available in these versions than upgrading them for security features.

php and MySQL are a different matter.  Depending on your hosting service provider, it can require intervention from IT Professional .  To update this software, some providers offer or are now offering scripts that you can implement, recognizing that exploited sites cause problems on their network.  During one of the attacks to the site that I was working on, I had to be on the phone with the ISP’s tech support, and I could hear in the background that their other clients were experiencing the same issues.

As I went back though the site trying to remove any content or scripts that did not belong, my friends in the Netherlands and Russia were busy re-inserting scripts to the site.  This

Security

Using some of those skills picked up during all my time implementing and managing systems for the larger companies, I was able to identify a couple of issues.  As I was troubleshooting the site,  I saw that there was some unexplained ftp activity on the site.  Some of it I found was changes and updates being applied by the ISP in the backend.  Some of it looked like it was coming through an old ID that had an old password that wasn’t strong by today’s standards.  Disabling the old IDs and forcing password updates and complexity,

After researching, we implemented several configuration changes and plugins that help lock down the site making it more secure.  We also identified some details on who the perpetrators were tracking down their ISPs and IP addresses.  We reported them to our ISP, who seemed pretty disinterested.  This is unfortunate because until the hackers are pursued and harassed, both on-line and in Real World, there is no reason for them to stop.

We still see malicious attempts on the site, but the site is no longer the lowest hanging fruit and it seems that are friends have moved on.

Why Worry?  All I want to do is Blog.

As this went on, the ISP and services such as MacAfee were scanning the site, or receiving reports  back from the site that it had been compromised.  This starts showing up in your Search Engine results, and that causes a reputation issue.  Just cleaning up the problem doesn’t make it go away.  You then have to go and request that your site be re-scanned by the ISP, and possibly have to go to sites such as TrustAdvisor (Mcafee) or Norton Safe Web (Norton) Network to request that they are rated again, which can take a couple of days.

What should I Do?

 

• Back up your WordPress site; particularly the Database – The database is where your content is stored.  If you have a good copy, you can rebuild the site.  It might be annoying, but you can do it.  Some ISPs offer back up services.
• Make sure that your WordPress software is Up to Date (Please back up first).  Again, the Dashboard makes it pretty easy, but if you are not comfortable, seek help from someone with IT and WordPress experience.
• Verify that your php and database versions meet the minimum recommended WordPress requirements.  Usually the http server is dictated by your ISP, but if you are building the server from scratch, you have to make the decision which one to use.  It also adds complexity to the installation.
• Make sure that you passwords are secure.  You can use some of the tips from Ways to Protect You and Your Data.
• Reducing access to the public_html directory should not be done without some research.  There are WordPress plugins that can assist you, but based on your level of expertise in web technologies and operating systems, these measure might be best left to someone with more experience.

 

To go back and answer the question, “Is WordPress Site Vulnerability a Given?”, I believe the answer is no, but you need to take some precautions.  If you take these steps, there is a good chance that you won’t be the lowest hanging fruit, and the those who would seek to make your website a home for their exploits will move on to another site.
 

 

How to Avoid Being a Victim of Ransomware

There have been more stories in the press concerning Ransomware attacks against organizations.over the last several months.  Symantec estimates that the average ransom that a victim of Ransomware pays is about $300.  McAfee Labs reported that it saw 1.2 million new samples of ransomware in the second quarter of 2015 alone, which is up from 400,000 in the last two years (see “‘Ransomware’ Attacks to Grow in 2016”).  With that kind of explosive growth, the chances that your computer or you might be targeted are much greater.

The Problem is Getting Worse

On Tuesday May 10, 2016, the US House of Representative members were advised that the House has come under increasing Cyber attacks and that their Technology Services desk was shutting down access to Yahoo mail as part of their preventative measures.  According to the TechCrunch article Congress warned about cybersecurity after attempted ransomware attack on House that other services like GMail and Google Apps might be next and have repeatedly warned members not click on links or open email attachments from unknown sources.

 A few others that made the news are:

Hollywood Presbyterian attack in February.  While Engadget says in its Hospital ransomware: A chilling wake-up call article that the cost was only about $17,000 in actual Ransom, the real loss was that medical care was impacted by forcing staff to revert to manual processes and transferring patients to other facilities.  Thankfully, no one died.

Chino Valley Medical Center and Desert Valley Hospital in California, part of the Prime Healthcare Services, Inc., and Methodist Hospital in Kentucky were attacked in March. (Three U.S. Hospitals Hit in String of Ransomware Attacks ).   In Methodist Hospital’s case, they declared an “internal state of emergency” and resorted to recovering from backup.  They reported that they were able to run its daily operations.

The Healthcare industry is estimating that they will be spending over 305 Billion over the next 5 years!

The Response from Government

FBI recently publishes a Story on the increased frequency of Ransomware incidents, Incidents of Ransomware on the Rise Protect Yourself and Your Organization
Protect Yourself and Your Organization the US-CERT  (US Computer Emergency Readiness Team) re-published  on its email alert distribution and re-issued their US-CERT Alert (TA16-091A): Ransomware and Recent Variants.

When reading of these articles, the stance law enforcement is to taking to this problem is instruct people to be aware of the risks and defend themselves from an attack.  Some of the steps are common sense; some are good security practices.  The FBI is taking the stance for you not to pay the ransom.  In the case of the Power Worm ransomware, the ransomer cannot even recover the data due to a software bug (see, it even happens to the Bad Guys)

What Can I do?

I recently attended a Meet up of Consultants to discuss the issue and share some of the tools that we have used.  The focus of the discussion was on tools and less on best practices.

Here are some steps you can take to protect your technology Ways To Protect You and Your Data

Again, most of these steps are defensive, but at this point, reducing your exposure to attack making you a small, tougher target is probably the best option at your disposal to defend your technology assets and your data.