|
|
|
Greetings, salutations, and welcome to the first edition of IT Brew, the newest addition to your inbox from Morning Brew. We’re here to talk about cybersecurity, AI, remote work, and the challenges facing the contemporary IT professional.
Why? Well, you’d be hard-pressed to find an industry more important to the behind-the-scenes of our lives than today’s IT industry. Issues like company data breaches, attacks on a country’s critical infrastructure, and phishing schemes that can cost businesses millions of dollars affect both employers and employees, and leave IT professionals wondering how best to keep up with the rapidly changing nature of cybersecurity and computer systems.
The ongoing pandemic—yes, still—has flipped the concept of going to work on its head, and IT teams are the backbone of that transition. Managing remote workers, securing hybrid offices, and battling for bigger budgets is a part of the IT professional’s new normal. And with over 80% of employers in a PwC survey stating that their businesses have been more successful since shifting toward a remote-friendly workplace, the new normal isn’t going away any time soon.
Which brings me to you, dear reader. IT Brew is for you, the IT professional. It’s for the CISO and sysadmin who want to keep current with the thoughts and concerns of their colleagues and peers. We’re here to help those making decisions make the right ones, both for themselves and for the people they’re helping. We also want to tell stories that aren’t being told about the nitty-gritty of the IT business, and help you answer questions you’ll face daily. How can you secure data, even for the most forgetful of us? How do you source new vendors? Who gets priority when it comes to support, blustery execs or customers with legitimate issues? How do you spell Kubernetes?
I am IT Brew’s editor and emcee, Patrick Lucas Austin. I’ve covered technology for over a decade for outlets like Time, Ars Technica, and Consumer Reports, and, in a past life, was part of a medical-imaging company’s IT team. Joining all of us on this journey is senior reporter Tom McKay, formerly of Gizmodo, where he wrote about cybersecurity and the spread of online hate groups. Also joining us is reporter Billy Hurley, who’s covered everything from EV battery tech and cloud computing to developments in space exploration.
We’re still kicking the tires over here, so please let us know what you think. We’d love to hear your thoughts on everything from stories to our format. Enjoy!—PLA
In today’s edition:
 Text troubles
 Cloud confusion
—Tom McKay, Billy Hurley, Patrick Lucas Austin
|
|
Getty Images
SMS-based scams—or, as they’re annoyingly known, “smishing”—are far from new. But as the data shows, they’ve exploded in recent years:
-
According to anti-spam firm Teltech, scammers sent 11.6 billion texts over US wireless networks in March 2022, up 30% from the month prior.
-
Instances of text-message fraud reported by consumers to the FTC rose from roughly 335,000 to 370,000 from 2020 to 2021, with reported losses rising from $86 million to $131 million.
With so many people working from home, new variants such as the boss text scam—in which attackers spoof a manager’s number to trick a subordinate into purchasing gift cards or transferring cash—are increasingly a security concern for organizations. Targeting employees on their personal devices helps bypass whatever security protections might be in place on employer-run systems.
Tough times, easy money
According to Mark Lanterman, the chief technology officer of Computer Forensic Services, smishing attacks tend to be simple and profitable because targets often don’t bother to take basic precautions.
“I think that we, as consumers, have become a little complacent…We think it’ll never happen to us, and then when it does, we’re outraged, even though we didn’t bother to follow even the simplest security precautions,” Lanterman said.
Independent security researcher Darren Martyn wrote in an email to IT Brew that smishing is now “a lot easier to pull off than email-based phishing,” as bulk SMS is cheap and has no protocols to discern authenticity.
“Mobile carriers also generally don’t do any real spam filtering or anything on SMS, so you are virtually guaranteed delivery,” Martyn wrote. “People get used to clicking shit they get in texts.”
According to Martyn, some of the largest smishing cash grabs he’s witnessed have been social-engineering scams targeting cryptocurrency investors. While the rest tend to be “wide net” operations intending to pocket “relatively small amounts of money or data from lots of people,” higher-tier threats “absolutely” use smishing to target organizations, he added.
Lanterman said that while SMS alone rarely results in tremendous scores for cybercriminals, multi-vector attacks such as utilizing fake emails in conjunction with the texts have been disastrous, citing a 2016 attack on a pharmaceutical company in which scammers pretended to be the company’s CEO and tricked an accounts payable coordinator, and allegedly the company’s bank, into wiring over $50 million.
How to not get smished
Lanterman and Martyn agree on two main steps organizations can take to protect themselves from SMS attacks: limiting their exposure to insecure employee devices, even if it constitutes an upfront cost, and training employees on recognizing scam texts. For example, Lanterman emphasized the power of simply verifying a text comes from the listed sender.
“The takeaway is: don’t trust instructions that you receive in an email or in a text message,” Lanterman told Morning Brew. “If you’ve asked for anything of value, like money or confidential information, pick up the phone and confirm that.”
The situation is hardly “hopeless,” Lanterman added. “We’ve seen a lot of success coming from the well-thought-out training programs. I think the best security dollar that an organization can spend is on training just [making] their employees aware.”
Keep reading here. —TM
Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.
|
|
|
Today’s workplace is more flexible than ever—some days it’s a coffee shop, other days it’s the comfort of our own couch, and occasionally it’s about collaborating in the office. As the transition to hybrid work gains steam, many companies are untangling some big questions: What do we do? How do we do it?
That’s where Robin comes in. Use their intuitive platform to help manage a smoother transition to hybrid work for your employees, creating a safe, secure, and connected workplace environment.
Think of Robin as your road map through the uncharted territory of hybrid work. You’ll be able to welcome people back with a safely distanced floor plan, health checks, and real-time workplace analytics. Plus, Robin’s platform gives teams an easy way to coordinate IRL office meetups. Happy hour, anyone?
Create your company’s ideal hybrid work setup and learn more here.
|
|
Francis Scialabba
A team at Penn State University discovered a data-loss vulnerability while doing some squats—cloud squats, specifically.
Eric Pauley, a graduate research fellow and PhD candidate at Penn State, along with five additional team members, found that user information can be leaked during the fairly common process of companies leaving a public cloud service.
- When one company’s service is terminated, cloud providers often lease the same server space and IP addresses to another company. A new cloud client with a reused IP address, it turns out, can receive network traffic from end users trying to connect to the original service.
- Acting as “cloud squatters,” Pauley and the Penn State researchers demonstrated how attackers could potentially get a hold of valuable data meant for a previous destination—information that could even include bank-transaction details.
And when you’re a cloud squatter, the data comes to you.
“People will be trying to connect, and they’ll be sending you potentially privileged information intended for other customers,” said Pauley, whose team found over 5,400 organizations potentially leaking sensitive data.
A crowd in the cloud
In some cases, businesses will set up cloud services and keep services active for years. Others will scale their cloud efforts, provisioning and decommissioning them frequently.
“In a worst case, we see that IP addresses can change hands as often as every 30 minutes on the cloud provider that we studied,” Pauley told IT Brew.
How serious is the threat?
To exploit the vulnerability, an attacker would have to get lucky…for now, at least.
“Customers don’t get to choose what IP they get, so you can’t really intentionally target a specific customer for this kind of squatting attack,” said Mike Rothman, president of the cloud security operations platform DisruptOPS and analyst at the security firm Securosis.
But an attack is possible: You can sit around and try IP addresses until you get one that is a target for sensitive data.
An attacker can listen for traffic on an address to see if a client is requesting information like bank details, for example, but that kind of match would be hitting the big one, according to Kurt Seifried, chief blockchain officer and director of special projects at Cloud Security Alliance.
“You’re basically…buying a lottery ticket. It’s probably going to be a losing ticket,” Seifried told IT Brew.
That is, it’s a losing ticket until attackers start making toolkits, added Seifried.
Read more about it here.—BH
Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.
|
|
|
Flexible workplaces for the win. Hybrid work gives employees more options, but it also adds in some logistical challenges. Robin’s easy-to-use workplace management platform helps make your company’s transition to hybrid work simple and successful. Keep your teams connected and collaborative, wherever they are. Get started with Robin today.
|
|
Francis Scialabba
Today’s top IT reads.
Stat: 237. That’s how many Russian cyberattacks against Ukraine were documented by Microsoft from the start of the war through April 8, in a report from its Digital Security Unit. The suite of malware used by the attackers ranged in functionality, allowing at least six Russia-linked threat actors to delete critical data or render machines unusable. (The Hacker News)
Quote: “Deepfake technology might amplify the risk for advanced document fraud by organized-crime groups.”—a Europol report on the AI-powered image generation technology (Infosecurity)
Read: The Indian Computer Emergency Response Team, the nation’s cybersecurity arm, is altering its security practices in regards to cyber incidents and requiring companies to report any data breaches or other incidents within six hours of discovery. (Bleeping Computer)
|
|
-
Elon Musk sold $8.4 billion in Tesla shares to help pay for his new toy, Twitter.
-
Nearly a year out, the MiamiCoin cryptocurrency isn’t doing so well.
|
|
|
