Just in time for people working from home (especially those in apartment buildings),  we are gaining more bandwidth from the FCC for WiFi.  This new bandwidth is larger than the previous two combined, however the higher frequency will mean the range is limited.  It will be interesting implementing this and a welcome addition.  Of course new hardware will be needed so I predict a slowdown of upgrades until we see capable devices hitting the market.

Zoom has risen to be the new favorite video conferencing tool thanks to the stay-at-home requirements rolling across the world.  While Zoom has been around for some time, it's now being tested under the strain of tens of millions of new users per month.  While they have had some missteps and some challenges regarding their encryption, they are mostly suffering from new users who are also new at video conferencing in general.  These users are creating virtual conference rooms with no passwords, or sharing them openly online.  They are opening themselves up for troublemakers (mostly kids home from school!!) who will "bomb" these conference rooms with all sorts of shenanigans, some with serious consequences.  We need to remind people that while we are all struggling to use these new tools, sometimes the tools aren't to blame.  I give Zoom a pass on these events mostly because of how they have responded to an immense amount of criticism.  They realize they need to make the interface more user-friendly where it prompts people to use passwords.  They are adding features to lock rooms, have sign in sheets, etc.  They are reviewing security and encryption.  These are good signs from a company under pressure.  They are on the right track.

Google and Apple are working together using their mobile operating systems (iOS and Android) to create a virus contact-tracing system.  The first thing I hear when I bring this up is how this is a government ploy to track people.  I feel like I may be risking my life by disagreeing....hear me out.  Let's take our tinfoil hats off and breathe - I'm confident that these two companies have figured out the right way to do this without jeopardizing your privacy.  There's really only one problem, and that's people.  Back to that in a moment. 

The way these companies are doing this is through Bluetooth.  Bluetooth LE (Low Energy) is a range-limited protocol that when used in this context can swap an identifier to other phones so that down the line if any of those identifiers are marked as infected, all the other phones that have contacted it would be notified of a potential exposure.  The way this is done maintains your anonymity. 

Your phone will have a long, high entropy identifier that never gets shared from the phone.  It never leaves your phone.  It stays private.  It's your private key.  That identifier is then used to create another key called your daily tracing key.  This key changes daily.  It is created by using math and your private key, but ensures your private key can never be reavealed.  It is an irreversible process.  Your phone can however recreate any of these daily keys down the line, because it knows how to do that secret math....so far so good. 

This is where it gets more complicated.  Your phone will have to share data through Bluetooth - something that could be used to track you.  Your phone has a Bluetooth MAC address - think of it like a house number.  But modern phones have a feature to discourage tracking - this number changes randomly every 10-20 minutes.  The fact that it changes randomly sometime within a 10 minute window of time also makes it very hard to tell when a phone cycles it's number - you can't predict accurately when it will change.  Google and Apple use this changing number to further obfuscate what will finally be shared with others - the 'rolling proximity identifier'.

 This identifier is then what is shared to any phones within a close proximity.  As you conduct your life throughout the world, your phone is logging all of these random identifiers and simply creating a list.  This list will be remembered for only a certain period of time (the time you could theoretically be sick/contagious without showing symptoms yet, say 21 days or so).  It will then check a server seeing if any of those random numbers were marked as 'diagnosed', or COVID positive. 

So let's say you had your phone on you for a few weeks, going to the store, gas stations, work, wherever.  You feel sick, get tested, and test positive.  At this point we can tell your phone to report in by going back 21 days and providing those random tracing keys for other phones to check against.  Those random numbers are then used on each other user's phone to calculate if they've been in contact with that key before - and if so, you provide warning to those individuals, all while maintaining your anonymity.

I've left a lot of details out, but you can get the gist - they worked hard on this and it shows.  The only wrinkle is who gets to tell your phone you're sick - I can imagine nefarious people marking their phones as sick just to mess with people....this mechanism would have to be somehow performed by an authorized party - maybe a hospital or healthcare worker.

This will be built into the OS, and you most likely would have to download an app to interface with it.  Let's all take off our tinfoil hats because the way I see it, this will allow contact tracing in a highly efficient way that will allow us to return to normal (as much as possible!!) in a much quicker fashion. 

Working from home.  Empty offices.  Social distancing.  Zoom meetings.  This is our new world.  With the mitigation of the virus most likely affecting our lives for not just the short term, but for the years ahead, these new norms will reshape how businesses perform their tasks.  There will be hiccups and stalls, but we will all carry on.  The business that cannot adapt to this new reality will struggle.  We are here to assist businesses and new home-offices make this transition.  VPN's, enhanced WiFi, video conferencing, you name it.  We're here to get it straightened out.

Another attempt at breaching WiFi.  It was successful.  Another reason to have hardware that can be updated and maintained by a reputable vendor.  With so much business moving to working from home in the upcoming months, this is a giant incentive for upgrading aging hardware in your homes.  

Web pages have security certifications that allow you to have that nice green lock to reassure users they are safe and using the correct site.  With all of the ways to game the system these days, Apple is taking off the gloves and changing their policy to only honor one year certs, forcing companies and websites to attend to their security cert at least once a year.  This is a polorizing move as it creates more work for IT teams around the world.  My opinion:  it was inevitable, and good for business.  More trust in websites means a better flow of business for those sites.  

So now that Windows 7 is no longer receiving updates (unless your wallet is deep), there are still TONS of computers out there running Windows 7.  One out of 4 desktops are Win7.  This is a disaster waiting to happen.  Lets move to Win 10, Linux, anything else.  Please. 

Major takeaways:
-  Most unpatched vulnerabilities affecting small to medium businesses (SMB's) are over a year old.
-  Linux,Windows, AWS (Amazon Web Services) affected
-  Many issues are a result of improperly trained IT, misconfigured security.
-  Use of legacy (unsupported) hardware and software. 

A bunch of brands were beaten up (QNAP, Seagate, Drobo, Buffalo, ASUS to name a few) except for one - Synology.   I've always been a fan of Synology...bias confirmed!

Microsoft has observed the Russian Govt. backed hacker group 'Strontium' using IoT devices to gain footholds in company networks around the world.   Most notably, VOIP phones and security cameras.  Segmented VLANS are the solution, but not enough small businesses have hardware capable of this.    

Recent reports show that any computers with their RDP ports showing to the internet can expect over 200k login attempts a day, even ones moved to different ports.   Best to hide these behind VPN's...but you need the correct hardware to set these up - we can provide.

Long story short - security researchers haven't found examples of this data showing up in the normal places you would expect it to - the dark web is curiously devoid of this information.  This leads many researchers to believe this breach was done by a nation-state level actor... after a different type of dataset perhaps?  Other researchers simply think that abusing the data too soon will lead to their discovery, so keeping quiet is more valuable than using the data...time will tell.

Malware, viruses, worms:  coming to a small business near you.  Today's threat environment is growing in scope.  In the old days, these ailments were seemingly spread with no specific intent other than to wreak chaos, however those times are gone.  Most of us are well aware that not only governments create specifically crafted tools to target their prey... large corporations were first logical target.  Teams of hackers hone in on specific companies with crafted payloads that intentionally encrypt computers within the corporation's networks.  They then get a blackmail message from the hackers requesting payment, usually in some form of crypto-currency.  
The bad news is that government municipalities and school districts seem to be the next targets.  Unsurprisingly, small businesses will be the next to suffer.  There are hacking toolkits out there for novices to exploit, and while they don't have the skill to attack larger corporations with large IT budgets, small businesses are plenty and have lots to lose - and are generally not on the radar of law enforcement.  The FBI generally gives a canned message stating that paying ransoms for crypto-malware is not advised, however it is often the only avenue for a small business to regain operations. 
Consumer hardware is prevalent in many small businesses and is woefully inadequate to protect against these types of threats. 

Small businesses need help with training and strategic purchases of proper hardware - and we're here to help.