New research shows almost three quarters of large businesses believe remote working policies introduced to help stop the spread of COVID-19 are making their companies more vulnerable to cyberattacks. You need to take steps to protect the remote workforce AT&T’s study of 800 cybersecurity professionals across the UK, France and Germany shows that while 88% initially felt well prepared for the migration, 55% now believe widespread remote working is making their companies more or much … More
The post Many companies have not taken basic steps to protect their remote workforce appeared first on Help Net Security.
Cyber attacks have increased exponentially since the start of the pandemic, with AT&T Alien Labs Open Threat Exchange (OTX) finding 419,643 indicators of compromise (IOC) related to COVID-19 from January to March, with a 2,000% month-over-month increase from February to March.
Rush to bolster cybersecurity
Companies of all sizes and in all sectors have been forced to adapt to a remote work environment overnight, regardless of whether they were ready or not. As this fast-moving shift to virtual business occurred, cybercriminals also adjusted their strategy to take advantage of the expanded attack surface, with the volume of attacks up by nearly 40% in the last month and COVID-19-themed phishing attacks jumping by 500%. The current situation is an IT manager’s worst nightmare.
This new remote work environment ushers in an entirely new security landscape and in record-time. Long-term solutions can be found in zero trust models and cloud security adoption, but time is of the essence. Organizations should act now.
The following are a few short-term, easy-to-implement actions that IT managers can take now to bolster cybersecurity amid the current pandemic.
1. Apply “social distancing” to home networks
Traditionally, home Wi-Fi networks are used for less sensitive tasks, often unrelated to work: children play games on their tablet, voice assistants are activated to display the weather, and movies are streamed on smart TVs. Fast forward to today, and employees are now connecting to the office through this same network, leaving gaps for children or non-working adults who may also be accessing the internet via the same network. Lines are blurred, and so is security.
Just as social distancing is encouraged to limit the potential spread of COVID-19, the same should apply digitally to our home networks. IT managers can encourage employees to partition their home internet access. This means trying to block children and non-working adults from using the same network connection that is used to log into the office. This step alone helps prevent a tidal wave of unknown vulnerabilities.
One doesn’t need to have extensive IT skills in order to isolate a home network, which saves IT managers valuable time and resources. On the market today, there are several home and small office routers, costing around $100, that offer VLAN support, and most Wi-Fi kits offer the ability to set up a “guest” network. As an IT manager, it’s important to provide step-by-step instructions on how to set this up on common routers, while communicating the importance of taking this small step to greatly boost security.
2. Encourage the use of lightweight mobile devices
BYOD brings immense security risk. What types of malware exist on your employees’ home devices? Have they completed recent software updates? It’s a gamble not worth taking.
If possible, IT managers should provide employees with company-owned lightweight devices, like smartphones and tablets. For one, in most of the country, you can use mobile broadband capabilities to avoid home networks altogether. Additionally, these devices are designed to be managed remotely. Users are essentially teaming up with the manufacturers’ security teams in keeping the devices secure, as well as the mobile operators in ensuring a secure connection. Attach a quality keyboard to such lightweight devices, and employees will not miss their PCs.
3. Move to the cloud… now!
On-premise software is outdated and often ineffective. If your organization has not moved to the cloud yet, let this be the forcing function for that change. Customer relationship management systems, office productivity apps and even creative design platforms are all available now as SaaS offerings, and outperform their traditional software equivalents. With cloud solutions, organizations are working with the SaaS provider’s security teams to help keep vulnerabilities away.
Once employees have transitioned to lightweight devices operating SaaS applications in the cloud, the attack surface is reduced exponentially.
4. Secure employee remote access
Employees will be connecting devices to several service connections, so many that it makes it difficult to manage on an ongoing, individual basis. Invest in secure remote access tools such as a strong endpoint security solution and a cloud security gateway. This will allow IT managers to set policies and monitor company-wide activity, even while the workforce is widely dispersed.
5. Brush up on password hygiene
I’m willing to bet that employees are logging into the office right now using poor passwords. They’re inputting passwords based on their children’s names, anniversary dates or, the worst, “password123.”
IT managers need to immediately (and regularly!) teach employees how to improve their security posture. One of the easiest ways to do that is to start with password hygiene. Insist that staff create long, complex, and unique passwords for every device and connection they use to access the office. Encourage the use of password managers to keep track of all logins. Staff should also set up two-factor authentication across the board, from the CEO down to the seasonal intern. This behavioral shift costs nothing and makes it significantly harder for cybercriminals to win.
We are all vulnerable to this pandemic. IT managers traditionally shoulder a tremendous amount of responsibility, but now with a remote work environment, that burden has quadrupled. While the to-do list may look exhaustive, try to focus on a few short-term actions that will bring peace of mind and bolstered security… right now.
AT&T doesn’t want its home Internet speeds to be measured by the Federal Communications Commission anymore, and it already convinced the FCC to exclude its worst speed-test results from an annual government report.
“AT&T this year told the commission it will no longer cooperate with the FCC’s SamKnows speed test,” The Wall Street Journal wrote in an investigative report titled “Your Internet provider likely juiced its official speed scores.”
AT&T already convinced the FCC to exclude certain DSL test results from last year’s Measuring Broadband America report. The reports are based on the SamKnows testing equipment installed in thousands of homes across the US.
“AT&T was dismayed at its report card from a government test measuring Internet speeds” and thus “pushed the Federal Communications Commission to omit unflattering data on its DSL Internet service from the report,” the Journal wrote.
“In the end, the DSL data was left out of the report released late last year, to the chagrin of some agency officials,” the Journal wrote. “AT&T’s remaining speed tiers notched high marks.”
Pai’s FCC gives less attention to speed tests
The Obama-era FCC began the Measuring Broadband America program in 2011 to compare the actual speeds customers receive to the advertised speeds customers are promised. The FCC released reports annually through 2016, but the testing program has gotten less attention since Ajit Pai became chairman in January 2017.
As we wrote in November 2018, the FCC hadn’t yet released any new Measuring Broadband America reports since Pai became chair. Pai’s FCC in December 2018 finally released both the 2017 and 2018 reports, tucking them into the final appendices of a larger “Communications Marketplace Report.” You can see all the Measuring Broadband America results from over the years at this page.
The 2017 report includes two categories for AT&T, one for its oldest DSL technology and another for its DSL-based IP broadband with speeds of up to 45Mbps. While AT&T’s oldest DSL service only provided 82 percent of advertised download speeds, AT&T IP broadband was over 100 percent. The 2018 report only includes AT&T’s IP broadband category, leaving out the company’s worst results.
Satellite Internet provider ViaSat also “left the FCC’s program” last year, the Journal wrote. ViaSat results were included in the 2018 report, which covers tests from September 2017.
We asked the FCC yesterday if it will include any AT&T and ViaSat test results in future reports, since SamKnows testing equipment could still be in AT&T and ViaSat customer homes, and we asked when the next Measuring Broadband America report will come out. We’ll update this article if we get any answers.
AT&T says its own speed test is better
AT&T defended its decision to drop out of FCC testing when contacted by Ars. “AT&T developed a best-in-class tool to measure its consumer broadband services,” the company said in a statement provided to Ars. “This tool measures performance on all AT&T IP broadband technologies and is more accurate, versatile, and transparent. For these and other reasons, our tool provides better and more useful information to our customers.”
But consumers have less reason to trust a speed-test tool created by AT&T than one created by the FCC. Even with the FCC’s speed tests, AT&T was able to exclude unflattering results. It would be even easier to dump slow speed-test results when AT&T is the one determining which numbers to show the public.
AT&T and the mobile industry’s top lobby group have also argued that carriers shouldn’t have to submit detailed 5G maps to the FCC. Separately, the FCC said this month that Verizon, T-Mobile, and US Cellular exaggerated their 4G coverage in official government filings.
Back in 2011, AT&T touted the FCC’s in-home speed tests as being far more accurate than previous testing methodologies. But the company’s opinion then seems to have been influenced by early test results that AT&T said showed “consumers are getting high-quality broadband services from their ISPs.”
AT&T announced another round of DirecTV and U-verse TV price increases, saying that monthly rates will rise by up to $8 per month starting on January 19. “Because our programming costs went up, we have to raise our monthly prices for select packages,” AT&T said in a notice titled “TV price changes for 2020.” An additional $2 increase on the Regional Sports Network fee means that some customers will pay another $10 per month.
The $8-per-month increase will apply to the DirecTV Premier plan that currently costs $189. A $7 increase will apply to the Ultimate package that costs $135 and to the Xtra package that costs $124; a $5 increase will apply to the Choice plan that costs $110; a $4 increase will apply to the Select package that costs $81 a month and to the Entertainment package that costs $93; and increases of $1 or $3 will apply to basic plans.
Customers who have promotional pricing will “keep that discount until it expires” and pay the new, higher price afterward, AT&T said. The promotional pricing generally lasts for one year and has discounts ranging from $21 to $55 a month.
Besides raising general service-plan rates, AT&T said its Regional Sports Network fees will rise by $1.50 to $2 a month. The sports fee varies by location but is about $10 in many big cities; you can look up the fee by ZIP code at this AT&T page.
For U-verse TV, AT&T’s wireline service, $3 will be added to the U-family plan that currently costs $84.99; $5 will be added to both the U-200 and U-300 plans that cost $107 and $124, respectively; and $7 will be added to the U-450 plan that currently costs $154. The Broadcast TV fee that costs $6.99 or $7.99 will rise $2 a month.
AT&T previously raised prices by similar amounts in January 2019. Previous price increases have contributed to AT&T losing nearly 5 million satellite-and-wireline TV customers since the end of 2016 and more than 1.3 million in the most recent quarter alone.
Comcast is also raising prices this month and eliminating the option to get one DVR set-top box for free, Cord Cutters News reported. Comcast’s average Broadcast TV fee is going up from $10 to $14.95 starting this month. “Overall, most Comcast customers will see bills rise by about 3.3 percent—a weighted average based on subscribers with one to three products—versus 3.4 percent last year,” Broadcasting & Cable reported. Cox and Charter are also raising rates.
Comcast blamed the increases on “rising programming costs—most notably for broadcast TV and sports.” Comcast and AT&T are partly to blame for the industry’s rising programming costs because of Comcast’s ownership of NBCUniversal and AT&T’s ownership of Time Warner.
Disclosure: The Advance/Newhouse Partnership, which owns 13 percent of Charter, is part of Advance Publications. Advance Publications owns Condé Nast, which owns Ars Technica.
AT&T thinks its TV-customer losses have peaked, but that isn’t saying much, as the company has lost 5 million subscribers since 2016 and more than 1.3 million in the most recent quarter alone.
“It’s tough and we’ll go through it for the rest of this year. But we’re optimistic we’ve hit the peak of losses in the third quarter,” AT&T CFO John Stephens said at a Wells Fargo conference for investors yesterday, according to the Hollywood Reporter.
In Q3, AT&T reported a net loss of 1,163,000 customers in the premium TV category, which includes DirecTV satellite and U-verse wireline TV services. AT&T also reported a net loss of 195,000 customers of AT&T TV Now, the online streaming video service formerly known as DirecTV Now, bringing the total TV-customer loss to 1.36 million.
The long-touted fifth generation of wireless communications is not magic. We’re sorry if unending hype over the world-changing possibilities of 5G has led you to expect otherwise. But the next generation in mobile broadband will still have to obey the current generation of the laws of physics that govern how far a signal can travel when sent in particular wavelengths of the radio spectrum and how much data it can carry.
For some of us, the results will yield the billions of bits per second in throughput that figure in many 5G sales pitches, going back to early specifications for this standard. For everybody else, 5G will more likely deliver a pleasant and appreciated upgrade rather than a bandwidth renaissance.
That doesn’t mean 5G won’t open up interesting possibilities in areas like home broadband and machine-to-machine connectivity. But in the form of wireless mobile device connectivity we know best, 5G marketing has been writing checks that actual 5G technology will have a lot of trouble cashing.
A feuding family of frequencies
The first thing to know about 5G is that it’s a family affair—and a sometimes-dysfunctional one.
Wireless carriers can deploy 5G over any of three different ranges of wireless frequencies, and one of them doesn’t work anything like today’s 4G frequencies. That’s also the one behind the most wild-eyed 5G forecasts.
Millimeter-wave 5G occupies bands much higher than any used for 4G LTE today—24 gigahertz and up, far above the 2.5 GHz frequency of Sprint, hitherto the highest-frequency band in use by the major US carriers.
At those frequencies, 5G can send data with fiber optic speeds and latency—1.2 Gbps of bandwidth and latency from 9 to 12 milliseconds, to cite figures from an early test by AT&T. But it can’t send them very far. That same 2018 demonstration involved a direct line of sight and only 900 feet of distance from the transmitter to the test site.
Those distance and line-of-sight hangups still persist, although the US carriers that have pioneered millimeter-wave 5G say they’re making progress in pushing them outward.
“Once you get enough density of cell sites, this is a very strong value proposition,” said Ashish Sharma, executive vice president for IoT and mobile solutions at the wireless-infrastructure firm Inseego. He pointed in particular to recent advances in solving longstanding issues with multipath reception, when signals bounce off buildings.
Reception inside those buildings, however, remains problematic. So does intervening foliage. That’s why fixed-wireless Internet providers using millimeter-wave technology like Starry have opted for externally placed antennas at customer sites. Verizon is also selling home broadband via 5G in a handful of cities.
Below millimeter-wave, wireless carriers can also serve up 5G on mid- and low-band frequencies that aren’t as fast or responsive but reach much farther. So far, 5G deployments outside the US have largely stuck to those slower, lower-frequency bands, although the industry expects millimeter-wave adoption overseas to accelerate in the next few years.
“5G is a little more spectrally efficient than 4G, but not dramatically so,” mailed Phil Kendall, director of the service provider group at Strategy Analytics. He added that these limits will be most profound on existing LTE spectrum turned over to 5G use: “You are not going to be able to suddenly give everyone 100Mbps by re-farming that spectrum to 5G.”
And even the American carriers preaching millimeter-wave 5G today also say they’ll rely on these lower bands to cover much of the States.
For example, T-Mobile and Verizon stated early this year that millimeter-wave won’t work outside of dense urban areas. And AT&T waited until it could launch low-band 5G in late November to start selling service to consumers at all; the low-resolution maps it posted then show that connectivity reaching into suburbs.
Sprint, meanwhile, elected to launch its 5G service on the same 2.5GHz frequencies as its LTE, with coverage that is far less diffuse than millimeter-wave 5G. Kendall suggested that this mid-band spectrum will offer a better compromise between speed and coverage: “Not the 1Gbps millimeter-wave experience but certainly something sustainable well in excess of 100Mbps.”
The Federal Communications Commission is working to make more mid-band spectrum available, but that won’t be lighting up any US smartphones for some time.
(Disclosure: I’ve done a lot of writing for Yahoo Finance, a news site Verizon owns.)
The US Department of Justice has given its tentative approval to a wireless-industry plan to revise eSIM standards, saying that new safeguards should prevent carriers from colluding against competitors in the standards-setting process. But the DOJ warned the industry that it must eliminate anti-competitive provisions from the current eSIM standard or face possible antitrust enforcement.
The DOJ last year began investigating AT&T, Verizon, and the GSMA, a trade group that represents mobile carriers worldwide. The antitrust enforcer found that incumbent carriers stacked the deck against competitors while developing an industry standard for eSIM, the embedded SIM technology that is used instead of removable SIM cards in new smartphones and other devices.
In theory, eSIM technology should make it easier to switch carriers or use multiple carriers because the technology doesn’t require swapping between physical SIM cards. But how it works in practice depends heavily on whether big carriers dominate the standard-setting process.
The DOJ investigation found that “the GSMA and its mobile network operator members used an unbalanced standard-setting process, with procedures that stacked the deck in their favor, to enact an RSP (Remote SIM Provisioning) Specification that included provisions designed to limit competition among networks,” the agency said last week.
That flawed process resulted in RSPv2, which makes it easy for a carrier to lock eSIM-equipped smartphones to its network, the DOJ said. The standard has so-called “profile policy rules” that require smartphones to “contain the capability for operator-controlled locking in order to be considered compliant with the RSP Specification,” the DOJ said. These provisions “may restrict the pro-competitive potential of eSIMs without being necessary to achieve remote provisioning or to solve an interoperability problem,” the DOJ said.
The current standard also has provisions that make it harder for phones to automatically switch between networks when the phone “detects stronger network coverage or a lower-cost network,” the DOJ said. The standard also “prevents an eSIM from actively using profiles from multiple carriers simultaneously.”
DOJ will watch and wait
Despite that, the DOJ said it won’t file an antitrust lawsuit. That’s because the GSMA agreed to a new standard-setting process that addressed DOJ concerns and will use that process to develop a new standard that will replace RSPv2. The DOJ said it is satisfied by the GSMA’s process changes but that it will monitor the implementation of the new standard and may take action if the GSMA doesn’t remove anti-competitive provisions in the next version of RSP.
The GSMA described its new process—called AA.35—in a letter to the DOJ in July, and DOJ antitrust chief Makan Delrahim provided an update on the agency’s “present enforcement intentions regarding GSMA’s proposal” in a letter to the GSMA last week. The DOJ said it “presently has no intention to challenge AA.35, if it goes into effect,” because the new process “includes sufficient protections to minimize the chances of anticompetitive self-dealing inside the GSMA if it is applied as contemplated.”
However, the DOJ said it “will closely observe how AA.35 is applied and whether it succeeds in promoting interoperability.” The DOJ also warned the GSMA that if carriers form separate agreements to limit competition, “such agreements are always subject to independent antitrust scrutiny.”
What the industry agreed to
Originally, the GSMA let non-carriers such as smartphone manufacturers participate in the standard-development process but made sure that all final decisions were controlled by mobile carriers. The DOJ said it was “concerned that the GSMA’s operator-dominated process was used with the purpose and effect of altering what would otherwise have been competitive negotiations between the operators and smartphone manufacturers (‘OEMs’) over the design and implementation of eSIMs.”
But after the DOJ began investigating, the GSMA came up with the alternative AA.35 process. As the DOJ noted, “AA.35 creates a two-stage process, with an Industry Specification Issuing Group (‘ISIG’) that creates the standards and an Industry Specification Approving Group (‘ISAG’) that approves the standards.”
ISIG membership is open “to all members, ensuring that there will not be operator-exclusive committees driving the process,” the DOJ continued. Non-carriers can become members of the ISAG, which “eliminates the complete control that operators previously had and instead gives all parts of the industry an opportunity to be represented,” the DOJ said.
Another safeguard prevents standards from being approved without the consent of smartphone makers. “At the ISAG level, [AA.35] requires approval of standards by separate majorities of the ISAG operator- and non-operator members,” the DOJ said. “Both bodies require an explanation of negative votes, another improvement that increases transparency and indicates meaningful attempts to reach consensus.”
Another new provision allows for appeals to be heard by an independent panel. Finally, operators can’t bypass or change this process “without the support of non-operator members” because the dual-majority voting structure requires consent of both groups, the DOJ said.
Getting rid of anti-competitive provisions
The current version of the eSIM standard, which was passed under the old, flawed process, has “several key features that have restricted the disruptive potential of eSIMs to date,” the DOJ said. That’s a reference to the phone-locking provision described earlier in this article and “provisions that restrict the number of active profiles on an eSIM or impede the user’s ability to consent to dynamic profile switching,” the DOJ said.
For example, RSPv2 requires consumers to give their approval each time an eSIM “toggles between profiles or networks,” preventing the scenario where a phone automatically switches between networks “if it detects stronger network coverage or a lower-cost network,” the DOJ said.
A RSPv2 prohibition on using profiles from multiple carriers simultaneously could prevent scenarios where users have their phone divided into work-related and personal profiles or multiple “profiles optimized for different coverage areas or for international travel,” the DOJ said. Incumbent carriers apparently wanted that restriction to undercut “a potential competitive threat [that] would allow a user to divide usage across operators,” the DOJ said.
When the GSMA uses its new AA.35 process to create a new standard, the DOJ said it expects the group to reconsider those anti-competitive rules.
“The Department will take a special interest in whether RSPv3 includes provisions that are motivated only by the incumbent operators’ interest in gaining a competitive advantage or stifling new sources of competition,” Delrahim warned the GSMA. The DOJ “reserves the right to bring an enforcement action in the future” if the GSMA’s implementation of AA.35 “proves to be anticompetitive in purpose or effect,” he wrote.
When Michael Terpin’s smartphone suddenly stopped working in June 2017, he knew it wasn’t a good sign. He called his cellular provider, AT&T, and learned that a hacker had gained control of his phone number.
The stakes were high because Terpin is a wealthy and prominent cryptocurrency investor. Terpin says the hackers gained control of his Skype account and tricked a client into sending a cryptocurrency payment to the hackers instead of to Terpin.
After the attack, Terpin asked AT&T to escalate the security protections on his phone number. According to Terpin, AT&T agreed to set up a six-digit passcode that must be entered before anyone could transfer Terpin’s phone number.
But the new security measures didn’t work. In January 2018, “an AT&T store cooperated with an imposter committing SIM swap fraud,” Terpin alleged in his August 2018 lawsuit against AT&T. The thieves “gained control over Mr. Terpin’s accounts and stole nearly $24 million worth of cryptocurrency from him.”
Terpin sued AT&T, seeking at least $24 million in actual damage and millions more in punitive damages. Terpin also asked the court to void terms in AT&T’s customer agreement that disclaim liability for security problems—even in cases of negligence by AT&T. Terpin argued that these boilerplate terms are unconscionable because customers never have an opportunity to negotiate them.
But AT&T asked the judge to dismiss the case, arguing that Terpin didn’t adequately explain how the phone hack led to the loss of his cryptocurrency. Terpin’s lawsuit provided no details about how Terpin had stored his cryptocurrency, how the hackers had gained access to it, or if they might have been able to carry out a similar attack without control of Terpin’s phone number. In any event, AT&T argued that it shouldn’t be held responsible for the misconduct of the hackers who actually carried out the theft of cryptocurrency.
A mixed ruling
On Thursday, Judge Otis Wright—a man we once depicted as a hulking green giant preparing to smash the copyright trolls at Prenda Law—issued a ruling that provided some reason for each side to celebrate.
Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin’s claimed $24 million loss.
However, Wright dismissed the claims with “leave to amend,” meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible.
At the same time, Wright allowed the case to move forward with Terpin’s arguments against AT&T’s one-sided customer agreement. Wright hasn’t yet voided the terms, but he found Terpin’s arguments on the issue plausible enough to let the case continue.
“We are pleased the court dismissed most of the claims,” AT&T said in an emailed statement. “The plaintiff will have the opportunity to re-plead but we will continue to vigorously contest his claims.”
This kind of phone hacking incident is of particular concern in the cryptocurrency world because of the non-reversibility of most virtual currencies. If a hacker steals funds from a conventional bank account, a fast-acting victim can usually get the transaction reversed and the funds restored. By contrast, if a hacker steals someone’s bitcoins, they’re likely to be gone permanently, since no one has the authority to cancel transactions once they’re committed to the blockchain.
As a result, cryptocurrency is much more of a “user beware” world than the conventional banking system. If you own a significant amount of cryptocurrency—and especially if you’re publicly known to have a significant amount of cryptocurrency—then it’s wise to store it in a way that doesn’t depend on the security of your phone number.