In-house blogging at RSA Archer Summit in Nashville

Last week I was in Nashville, covering the RSA Archer Summit conference. Here are my posts about the show:

Watch that browser add-on

This is a story about how hard it is for normal folks to keep their computers secure. It is a depressing but instructive one. Most of us take for granted that when we bring up our web browser and go to a particular site, we are safe and we know what we see is malware-free. However, that isn’t always the case, and is getting harder.

Many of you make use of browser add-ons for various things: Right now I am running a bunch of them from Google, to view online documents and launch apps. One extension that I rely on is my password manager. I used to have a lot of other ones but found that after the initial excitement (or whatever you want to call it, I know I live a sheltered life) wears off, I don’t really take advantage of them.

So my story today is about an add-on called Web Security. It is oddly named, because it does anything but what it says. And this is the challenge for all of us: many add-ons or smartphone apps have misleading names, because their authors want you to think they are benign. Initially, Mozilla wrote a recommendation for this add-on earlier this month. Then they started getting complaints from users and security researchers. Turns out that they made a big mistake. Web Security tries to track what you are doing in your browsing around the Internet, and could compromise your computer. When Mozilla add-on analyst (that is his real job) Rob Wu looked into this further, he found some very nasty behavior that made it finally clear to him that the add-on was hiding malicious code. Mozilla basically turned off the extension for the hundreds of thousands of users that had installed it and would have been vulnerable. This story on Bleeping Computer provides more details.

In the process of researching this one add-on’s behavior, Wu found 22 other add-ons that did something similar, and they were also disabled and removed from the add-on store. More than half a million Firefox users had at least one of them add-ons installed.

So what can we learn from this tale of woe? One thing is the sobering thought when security experts have trouble identifying badly behaving programs. Granted, this one was found and fixed quickly. But it does give me (and probably you too) pause.

Here are some suggestions. First off, take a look at your extensions. Each browser does this slightly differently. Cisco has a great post here to help you track them down in Chrome and IEv11. Make sure you don’t have anything more than you really need to get your work done. Second, keep your browser version updated. Most of the modern browsers will warn you when it time for an update, and don’t tarry when you see that warning. Finally, be aware of anything odd when you bring up a web page: look closely at the URL and any popups that are displayed. Granted, this can get tedious, but you are ultimately safer.

RSA Archer blog: LEAVE THE STONE AGE (AND SPREADSHEET) BEHIND

When I asked RSA Archer VP David Walter who was their competition, he told me earnestly it was the simple spreadsheet. I believe him, especially after what I have seen what people do with spreadsheets over the years that I have been a tech reporter.

Dan Bricklin and Bob Frankston invented the electronic spreadsheet with VisiCalc for the Apple II in 1979. It wasn’t long after that when I began using it on an HP 85 running CPM to build mathematical models working at various jobs in DC. That was a sweet machine, with its three-inch monochrome monitor and all 8K of RAM. Then Lotus 1-2-3 and the IBM PC came along making spreadsheets the go-to general business tool.

It has surprising staying power, given the software has essentially had the same user interface for more than 30 years. In this post for the RSA blog, I talk about the drawbacks of spreadsheets and give four reasons why you want something better for integrated risk management

 

CSO Online: Mastering email security with DMARC, SPF and DKIM

Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages, or privilege escalation exploits. Despite making some progress, a trio of email security protocols has seen a rocky road of deployment in the past year. Going by their acronyms SPF, DKIM and DMARC, the three are difficult to configure and require careful study to understand how they inter-relate and complement each other with their protective features. The effort, however, is worth the investment in learning how to use them.

In this story for CSO Online, I explain the trio and how to get them setup properly across your email infrastructure. Spoiler alert: it isn’t easy and it will take some time.

The story has been updated and expanded since I first wrote about it earlier this year, to include some new surveys about the use of these protocols.

FIR B2B podcast #102: Fixing Facebook’s flaws, for real this time

This week we review what Facebook could be doing to make things better for all of us. Its problems have been well documented, from privacy violations to a massive sell-off in its stocks to untrustworthy comments from its CEO. It’s CMO position has remained open for most of the year, prompting them to list the job on LinkedIn of all places.

I posted my thoughts on some of Facebook’s issues two months ago. I talk with my podcast partner Paul Gillin about how the company can rescue its image from the recent tarnishing, such as:

You can listen to our 15 min. podcast here:

The wild and wacky world of cyber insurance (+podcast)

If you have ever tried to obtain property insurance, you know you have a “project” cut out for you. Figuring out what each insurer’s policies cover — and don’t cover — is a chore. When you finally get to the point where you can compare premiums, many of you just want the pain to end quickly and probably pick a carrier more out of expediency than economy.

Now multiple this by two factors: first, you want to get business insurance, and then you want to get business cyber insurance. If you are a big company, you probably have specialists that can handle these tasks — maybe. The problem is that insurance specialists don’t necessarily understand the inherent cyber risks, and IT folks don’t know how to talk to the insurance pros. And to make matters more complex, the risks are evolving quickly as criminals get better at plying their trade.

My first job was working after college in a key punch department of a large insurance company in NYC. We filled out forms for the keypunch operators to cut the cards that were used to program our mainframe computers. It was strictly a clerical position, and it motivated me to go back and get a graduate degree. I had no idea what the larger context of the company was, or anything really about insurance. I was just writing numbers on a pad of paper.

Years later, I worked in the nascent IT department of another large insurance company in downtown LA. This was back in the mid 1980s. We didn’t know from cyber insurance back then: indeed, we didn’t even have many PCs in the building. At least not when I started: my job was to join an end-user support department that was bringing in PCs by the truckload.

So those days are thankfully behind me, and behind most of us too. Cyber insurance is becoming a bigger market, mainly because companies want to protect themselves against any financial losses that stem from hacking or data leaks. So far, this kind of insurance has been met with mixed success. Here is one recent story about a Virginia bank that was hit with two different attacks. They had cyber insurance, and filed a claim, and ended up in a court battle with their insurer who (surprise!) didn’t want to pay out, claiming some fine print on the policy.

Sadly, that is where things stand for the present day. Cyber insurance is still a very immature market, and there are many insurers who frankly shouldn’t be writing policies because they don’t know what they are doing, what the potential risks are, and how to evaluate their customers. If you live in a neighborhood with a high rate of car thefts, your auto premiums are going to be higher than a safer neighborhood. But there is no single metric — or even a set of metrics — that can be used to evaluate the cyber risk context.

I talk about these and other issues with two cyber insurance gurus on David Senf’s 40 min. podcast Threat Actions This Week here. I am part of a panel with Greg Markell of Ridge Canada and Visesh Gosrani of Guidewire. If you are struggling with these issues, you might want to give it a listen.

Why adaptive authentication matters for banks

The typical banking IT attack surface has greatly expanded over the past several years. Thanks to more capable mobile devices, social networks, cloud computing, and unofficial or shadow IT operations, authentication now has to be portable, persistent, and flexible enough to handle these new kinds of situations. Banks have also realized that they aren’t just defending themselves against external threats, that authentication challenges have become more complex as IoT has expanded the potential sources of attacks.

That is why banks have moved towards adopting more adaptive authentication methods, using a combination of multi-factor authentication (MFA), passive biometric and other continuous monitoring efforts that can more accurately find fraudulent use. It used to be that adaptive authentication forced a trade-off between usability and security, but that is no longer the case. Nowadays, adaptive authentication can improve overall customer experience and help compliance regulations as well as simplifying a patchwork of numerous legacy banking technologies.

In this white paper I wrote for VASCO (now OneSpan), I describe the current state of authentication and its evolution of adaptive processes. I also talk about the migration from a simple binary login/logout situation to more nuanced states that can be deployed by banks, and why MFA needs to be better integrated into a bank’s functional processes.

 

FIR B2B podcast #101: Machine learning comes to marketing

This week we talk about new ways that machine learning and artificial intelligence can benefit marketing organizations. While these three news items are all different aspects of this technology, they show collectively how these new technologies are changing the way marketing is done.

First up is a new smartphone app called Truthify that does advertising context analysis (as shown at right). The app interprets the user’s facial expressions to deliver what it thinks the user’s emotional state is, including fear, anger, or happiness, among other traits. The app comes with a web dashboard so you can analyze your campaigns and the resulting demographics. The app is now available for iOS users and soon for Android.

Second is a new influencer platform called AdHive. It is a combination of influencer marketing and AI-powered campaign management. You can sign up for the tool and influencers are paid to participate, while advertisers can choose the right kinds of people to exploit, er, we mean make use of, their tool.

Finally, Google last week announced four new products using machine learning that are aimed at helping marketers create more effective ads. These include responsive search ads, tools to optimize YouTube traction and local campaign management and smarter shopping. Google claims that advertisers who have tested these services have seen clicks increase by 15 percent.

Marketers who have been loathe to adopt new technologies do so at their own peril. These tools are good examples of what the future portends.

You can listen to our 18 min. podcast with my partner Paul Gillin here.

RSA Blog: New ways to manage digital risk

Organizations are becoming increasingly digital in their operations, products and services offerings, as well as with their business methods. This means they are introducing more technology into their environment. At the same time, they have shrunk their IT shops – in particular, their infosec teams – and have less visibility into their environment and operations. While they are trying to do more with fewer staff, they are also falling behind in terms of tracking potential security alerts and understanding how attackers enter their networks. Unfortunately, threats are more complex as criminals use a variety of paths such as web, email, mobile, cloud, and native Windows exploits to insert malware and steal a company’s data and funds.

In this post for RSA’s blog, I talk about how organizations have to become better at managing their digital risk through using more advanced security and information event management systems and adaptive authentication tools. Both of these use more continuous detection mechanisms to monitor network and user behaviors.

Not yet ready to cut the cable cord

If you want to completely cut the cable cord, it isn’t easy. I have been waiting for technology to become spousal-ready, and we are still about a year or two away. Today you have a lot of choices in the $40/month range that rival what the cable companies offer you for TV programming. The trouble is you have to make a choice between user interface and great TV resolution: you can’t yet have something that delivers both, other than your cable company.

I pay AT&T Uverse $125/mo. for my TV programming. That includes two receivers, one of which is a DVR and a boatload of various taxes and fees. Is it worth it to move to one of the online TV providers and save $85 a month? Eventually, I decided no, after trying two services, You Tube TV and Hulu Live TV. You can follow along with this column if you are brave enough: both offer a free trial of their services for a week, after which the monthly subscription starts. There are other services; my patience wore thin after experimenting with these two however.

Let’s first look at the user interface and mindset of the two online providers. You can obtain your TV programming in one of two ways: either by selecting your shows using a channel via your web browser or via an app that runs on your TV equipment. The web browser has the better UI because the developers working at the providers have more to work with and are more used to building web apps these days. And, you have a real keyboard for input, unlike your TV where you have to navigate around an on-screen one that can be infuriating.

So how do you get the audio and video signals from your computer to your living room TV? Two ways: either by connecting your computer directly to your TV with an HDMI cable or using one of several devices like Google’s Chromecast that does this for you wirelessly. If you use the direct cable connection from your computer, you will have to figure out a wireless keyboard and mouse to control it. If you use Chromecast, you will have to figure out the sequence of controls using the three apps that Google has (Google’s Chrome browser, Google Home and the Chromecast app itself) to get it setup. The workflow isn’t immediately obvious, and I suggest you learn the process before bringing your spouse into the room for the demo.

The nice thing about Chromecast is that any content that is displayed in a browser tab can be quickly transmitted to your TV by clicking a few buttons. I say a few: my wife got immediately weary of the process when I showed her what was involved. Your own experience may be similar. The bad thing about Chromecast is that the resolution is poor: nowhere near HD quality and even below SD video quality. Even if you have an old living room TV (and mine is more than five years old), you will be disappointed with the Chromecast video quality. And by the way, Google sells two different versions of Chromecast: one is for audio only; the other is for video and comes with the HDMI connector.  Make sure you buy the right one.

Another difference is how you access TV shows that have previously aired. Hulu’s web UI is very akin to the Amazon and Netflix web UI. In order to get the entire season’s worth of episodes, you have to click on the name of the show in the “My Stuff” guide. You can’t reorder the shows listed. If you click on the video itself, you are taken to the current episode. You Tube TV lists each episode as separate videos, much like the way ordinary You Tube does for its videos. (You can see the web version of the live TV guide above.)

So far I have only talked about using the web clients of You Tube and Hulu. There is a second method, which uses the native apps that run on your TV equipment. If you have a new TV, chances are it comes with apps for a variety of video providers, including Amazon, Netflix, You Tube and Hulu. I tried the apps that ran on my Samsung Blu-ray player: it didn’t have a You Tube app, again because it was more than five years old.

Sadly, there are UI differences between what you see with your web browser and the TV-based app clients, with the TV apps being far less capable than their web cousins. One big difference is how the onscreen channel or movie guide is shown. Netflix has the longest experience with developing its apps, and there are major interface and stability differences between its Android, iOS, web and embedded TV apps. On my Samsung device, the Netflix app frequently can’t find the Internet, or just quits working entirely. On the web client, that rarely happens.

Like Netflix, You Tube TV and Hulu both allow you to segregate your family’s preferences, so you can keep track of your individual tastes and what you have already watched. You Tube allows up to six different family members. Hulu is more restrictive and confusing, and there is also an unlimited extra-cost option.

Speaking of extra cost options, this is where the two providers are showing their relative youth. If you don’t want to watch live TV programming, Hulu has plans that start at $8/mo., or $12/mo. if you want to skip most commercials. If you want everyone to watch different streams concurrently, that will cost another $15/mo. There are also premium channel fees for HBO, Showtime and Cinemax.  You Tube TV has Fox Sports, Starz, AMC, Sundance and Showtime premium add-on channels.

Finally, Hulu with Live TV doesn’t support viewing live TV streams on all of its devices, according to this very confusing webpage. I read over the caveat several times and didn’t really understand what they were saying.

Alright, let’s move on to discussing the real benefit with using the TV apps from the online providers (or Blu-ray player, in my case).  Your video quality will be as good as anything else you run on the TV, full HD. But you have to put  up with a sub-par UI to get it.

So, what should you do? First, if you are in the market for a new TV, sign up for at least one of the online TV providers before you go shopping, and set up a simple temporary login password too. Go to your store and login to your provider, using the embedded app on the TV, and see for yourself if the UI is going to give you fits in selecting your programming with a couple of sets that you are interested in. If you really want a true A/B test, buy a Chromecast and bring that along with your laptop and see what the resolution will be if you don’t believe me.

If you just bought a TV within the last couple of years, try my experiment at home and see if you get better results that I did with my tests. The apps could be better than I experienced. If you have a large family and many different TV sets scattered throughout your home, you will probably end up sticking with your cable provider.