Avast blog: The latest security trends from Verizon’s annual breach report

Today Verizon published the latest 2020 Data Breach Investigations Report (DBIR). What sets the DBIR apart is that it combines breach data from multiple sources using the common industry collection, VERIS, a third-party repository where threat data is uploaded and made anonymous. This gives the report a solid authoritative voice, which is one reason why it’s frequently quoted by the security community. Report citations also come from vendor telemetry sources, so it is also a bit self-referential.

I look at overall SMB and ransomware trends, along with the declining popularity of malware in favor of more web app exploits. You can read more about these trends in my blog for Avast.

RSA blog: Do you know where your firewalls are located?

When I was growing up, the evening news  would start with the tag line, “It’s ten o’clock, do you know where you children are?” I know, it seems quaint now, especially since many of us haven’t left home in weeks. The modern equivalent might be, “It’s whatever o’clock. Do your know where your enterprise’s firewalls are?”

This is not a rhetorical question. Answering it will give you some insight into how your network infrastructure is governed (or not, as the case might be), and what actionable steps to take to fix it. I wrote in a recent blog post that as more of us work from home (WFH), we must go back to basics. One of those basics is understanding our network topology and where the firewalls are located.

In my latest column for RSA’s blog, I discuss this issue and how it can be very timely to know this information.

CIO.com webinar: Managing third-party risk in uncertain times

The world of risk management is undergoing some important changes. Security has become everyone’s concern and is not just the province of the IT department any longer. As our businesses become more dependent upon digital technologies, they become bigger targets for attackers to invade our networks and our endpoints. Understanding where our weakest links are located and how to remove them will become essential to ensure the future health and cybersecurity of our enterprises.

The world of risk management is undergoing big changes, some due to uncertain times with the COVID-19 pandemic. In this webinar done on behalf of Security Scorecard for CIO.com, I explore some of these best practices to assess these risks.

You can sign up to view the webinar here.

Family tech support questionnaire

As we become more reliant on technology to support our sheltering-in-place, we realize that many older folks are not quite digital natives and don’t feel comfortable with the now-common computing tasks that many of us have jumped on to handle our lives. And that means that more and more of us have become forced into the de-facto family tech support role. As someone in my generation (60-something) who has been a tech family support nerd for more than half of my life, I wonder how many of you are experiencing this situation?

Supporting our non-tech savvy relatives has gotten harder because now so many of us depend on tech to get through the day. The stakes are higher, and the lack of digital literacy can have much higher consequences these days. So to help you out, let’s start by taking stock of the dimensions of digital literacy that you might encounter.

Herewith is a simple questionnaire to give you some idea of how this will all play out in the time of the lockdown.

  1. Can your family members receive and read an email attachment? This is a basic requirement for many online activities, such as reading recipes and receipts from online orders, obtaining documents and other items. While you may be adept at email, your older generation might have difficulty.
  2. How often does your family member check their email? Many of our family members haven’t developed a regular email habit. This could be generational: older folks never learned touch typing and young ‘uns prefer texting. Without regular email scans, these folks can miss important notifications generated by their other online activities too.
  3. Do you and your spouse share a common email or Facebook account? Many elderly folks like to share accounts, but then who does what and when? If they don’t have a regular email habit, this makes the medium much less effective.
  4. Email isn’t the only connecting tech we all use these days. Does your family member use any common messaging app such as texting, Slack, Facebook Messenger, or WhatsApp? This can be a great way to stay in touch with multiple generations if you can agree on a single family platform. I have seen families that can’t find common ground, which makes communication difficult.
  5. Does your family member own a smartphone and can they install a new app on it? Many elderly have older-model “dumb” phones that date from the last century and don’t do anything other than make and receive phone calls. That can limit their effectiveness. If your elderly member has a more modern phone but still  can’t install or configure apps, you’ll have to assign someone for that support role who is located nearby.
  6. Have your family members used Uber or equivalent ride-sharing services? One of the first uses for a smartphone is with mobility: having a ride-sharing service is especially important for those that can’t drive or who don’t have cars. I know plenty of elderly who love their Ubers just as much as millennials. But usually someone has to show them the ropes.
  7. Have your family members done any restaurant curbside pickup or meal delivery? Many restaurants are asking customers to order online or via their smartphone apps. Being able to do this in these lockdown times is a way to help bring a little variety into someone’s life, as long as the family health protocols allow for meal deliveries.
  8. Have you ever read any Twitter posts? Uploaded any Snapchats and Pinterest photos? Often the grandchildren pix are the first mission-critical app for my generation and the learning curve to figure out these social network services can be frustrating.
  9. As we stay at home more, the center of entertainment is the TV, and today’s TVs are really computers in disguise. Does your family member watch any streaming service on their TV, such as Netflix, Hulu, YouTube TV, etc.?  Do they know how to set it up? If not, you will have to support that activity. My own smart TV sometimes loses its network connection, and a hard power cycle is the easiest way to fix that. Something is wrong with that.
  10. Let’s talk about paying for various things online. For many elders, cash is still king. I recall how my dad would never leave the house without hundreds of dollars in his pocket. But these days, cash is often not accepted for fear of viral contact. So seeking non-cash methods is important. One of the first things one of my family members did was get help to set up her online bill paying. She liked it and was happy to be rid of the chores of finding stamps and printed checks. Your family members may not be interested in this process, or they may want to dive in further and use contactless payment cards and online payment processors such as PayPal and Venmo to make it easier to move their funds around and send birthday gifts to the grandkids.
  11. The next step is buying all sorts of things online, including groceries and medicines. You might have a lot of support work needed to help your family member figure out where to do their shopping and how to navigate the piss-poor user interfaces of Instacart and others that are barely functioning right now.
  12. The elderly are big library patrons and these days libraries have moved to their digital efforts. Can your family members check out an ebook from their local library, or purchase an ebook for their Kindle? Many elderly would still prefer printed books and newspapers, but can they order them online from their local booksellers?
  13. One of the more popular apps to virtually meet is Zoom, and it is certainly a lot easier to join in a Zoom than some of its competitors. But how about if grandma wants to run her own book club virtually on Zoom? She might need some help getting it all setup.

As you can see, there is a lot of technology to master and manage. Being the family IT support person has gotten a lot more complicated. And as we depend on tech to get us through these times, it can be frustrating for all of us to solve the issues. Just take a step back, see how much tech we have acquired over the years, and take a deep breath.

FIR B2B Podcast #137: Invoca CMO Dee Anna McPherson on Building Strong Customer Advocacy Programs

We talk today with Dee Anna McPherson, the CMO at Invoca, an AI call tracking and conversational analytics vendor. That is a mouthful and one of the things she is doing is trying to define and own a new product category. That could be a daunting prospect, except she has done this before when she worked at Yammer (before they were engulfed by Microsoft) and then at Hootsuite. When Yammer began, no one had heard about microblogging, as it was called then. McPherson managed to define “enterprise social networking” as Yammer’s category and the company was off to the races from there. With working from home now the norm, that kind of technology has become the de factor standard for communications among remote team members.

Paul wrote about Invoca last year for Silicon Angle on how they use machine learning to transcribe and classify calls.

McPherson tell us about the importance of customer communication in building strong customer advocacy programs. You need to figure out a way to tell their stories without using the words “customer case study” or “reference account.” Customers really do want to help as long as they aren’t seen as shilling, she believes.  This is a topic we’ve touched on before, such as FIR B2B #118’s discussion about how customers should be your best advocates as well as Paul’s written work on social media marketing. We close out the podcast talking about how things have changed for marketers in the pandemic, how customer supply chains are evolving and how marketers can benefit from this transition.

Listen to our podcast here:

Tracking your browsing using HTML canvas fingerprinting

Every time you fire up your web browser your movements and browser history are being leaked to various websites. No, I am not talking about cookies, but about a technology that you may not have heard much about. It is called canvas fingerprinting.

In this post, I will tell you what it does and how you can try to stop it from happening. Beware that the journey to do this isn’t easy.

The concept refers to coordinating a series of tracking techniques to identify a visitor using what browser, IP address, computer processor and operating system and other details. Canvas is based on the HTML 5 programming interface that is used to draw graphics and other animations using JavaScript. It is a very rich and detailed interface and to give you an idea of the data that the browser collects without your knowledge, take a look at the screenshot below. It shows my computer running Chrome on a Mac OS v.10.13 using Intel hardware. This is just the tip of a large iceberg of other data that can be found quite easily by any web server. 

HTML Canvas has been around for several years, and website builders are getting savvy about how to use it to detect who you are. In the early days of the web, tracking cookies were used to figure out if you had previously visited a particular website. They were small text files that were written to your hard drive. But canvas fingerprinting is more insidious because there is no tracking information that is left behind on your computer: everything is stored in the cloud. What is worse is that your fingerprint can be shared across a variety of other websites without your knowledge. And it is very hard once to eliminate this information, once you start using your browser and spreading yourself around the Internet. Even if you bring up a private or incognito browsing session, you still are dribbling out this kind of data. 

How big an issue is canvas fingerprinting?  In a study done by Ghostery after the 2018 midterm elections, they found trackers on 87% on a large sample of candidate websites. There were 9% of sites having more than 11 different trackers present. Google and Facebook trackers appeared on more than half of the websites and Twitter-based trackers appeared on a third of the candidate webpages.

So what can you do to fight this? You have several options

  1. Make modifications to your browser settings to make yourself more private. The problem with this is that the mods are numerous and keeping track of them is onerous.This post gives you a bunch of FIrefox suggestions.
  2. Use a different browser that gives you more control over your privacy, such as Brave, or even Tor. In that linked post I mention the usability tradeoffs of using a different browser and you will have to expend some effort to tune it to your particular needs. I tolerated Brave for about two days before I went back to using Chrome. It just broke too many things to be useful.
  3. Install a browser extension or additional software, such as PrivacyBadger, Ghostery or Avast’s AntiTrack. I have already written about the first two in a previous post. AntiTrack is a stand-alone $50 per year Windows or MacOS app that works with your browser and hides your digital fingerprint  — including tracking clues from your browser canvas — without breaking too much functionality or having to tweak the browser settings. I just started using it (Avast is a client) and am still taking notes about its use. 
  4. Only run your browser in a virtual machine. This is cumbersome at best, and almost unusable for ordinary humans. Still, it can be a good solution for some circumstances.
  5. Adopt a more cautious browsing lifestyle. This might be the best middle ground between absolute lockdown and burying your head in the sand. Here are a few suggestions:
  • First, see what your HTML Canvas reveals about your configuration so you can get a better understanding of what data is collected about you. There are a number of tools that can be used to analyze your fingerprint, including:

    Each of these tools collects a slightly different boatload of data, and you can easily spend several hours learning more about what web servers can find out about you. 

  • Next, assume that every website that you interact with will use a variety of tracking and fingerprinting technologies
  • Always use a VPN. While a VPN won’t stop websites from fingerprinting your canvas, at least your IP address and geolocation will be hidden.
  • Finally, limit your web browsing on your mobile devices if at all possible. Your mobile is a treasure trove of all sorts of information about you, and even if you are using any of the more private browsers you still can leak this to third parties.


Figuring out data transparency

Those of us of a certain age might recall when Barbie could utter the phrase “Math class is tough.” A good example of this is how to figure out the data transparency in the time of the Covid.

One of my go-to sites is the Covid Tracking Project, which is a group of computer scientists that daily scrape and interpret the thousands of county health stats for testing and infection data. You might have noticed that for each state’s data summary they issue a letter grade for transparency. How they arrive at that grade is instructive, and we should all take a moment to understand the calculations. Even if our business isn’t involved in public health, it can help inform and improve our own transparency efforts.

Just look at some of the recent transparency disasters from last summer, when Facebook and Equifax couldn’t be trusted with showing the truth behind their numbers. We want to be more transparent, because that means we have the ability to create trust with our customers and partners. So let’s look at how the Covid Tracking Project assigns these grades to each state and US territory.

Their transparency grade uses16 different metrics. These include factors such as: is the state’s official health website the best data source and consistently updated? Does the state report patient outcomes, such as how many patients are on ventilators? Does the state break down the demographics into ethnicities, race and pre-existing ill patients? How about total hospital capacity for the state? For each metric, the data quality can vary and the details matter. For example: some states just report positive tests and deaths. For some states, you have no way of knowing how many negative tests were obtained, or how many of those who tested positive then went on to consume an ICU or ER bed or other hospital resources.

The transparency grades are calculated each day: I have noticed that the grade for my state, Missouri, has varied from A to C. Today Nevada, Nebraska and Puerto Rico all have failing grades.

But wait, there is more. The project team also has a Slack channel and a GitHub public project where you can dive deeper into what is going on here. The former is used to address reporter’s questions and the latter is used to call out support or bug issues. The team also has taken pains to explain exactly what they are counting — for example, they look at where people are being tested, which is not necessarily where people first became ill. Every state reports these numbers somewhat differently: some use online dashboards or hyperlinked data tables, while others announce their stats at daily press conferences or via social media posts. The team has taken pains to double-check everything and annotate where things are ambiguous or unclear.

I should mention that the project relies on dozens of volunteers too: so managing all this collaboration is key. Clearly, there is a lot we all can learn from their excellent transparency efforts.

Watch that meme!

Take a look at the image below. It has been reposted thousands of times on social media.
Jon Cooper 🇺🇸 on Twitter: "Yo, Mister White Racist. If I was you ...

Notice anything odd about it? Perhaps if you are good at sight proofreading, you might catch that the words accommodate and illegals are both misspelled. Now let me ask you another question: where do you think this picture would be posted? On accounts from right-wingers? Perhaps, but it was also posted on leftist accounts as well, with words about “look how idiotic these other guys are.” Sad to say, both sides are getting played: according to Internet researcher Renee DiResta, the image was created by the state-sponsored Russian trolls at the Internet Research Agency. It was carefully crafted to inflame both sides of the political spectrum and as a result was very popular a few months ago.

When we receive items like this in our news feeds, the natural reaction is to click and forward it on to a thousand of our closest Internet friends. But what this small example shows you is to stop and think about what you are doing. That meme could travel around the world in a few seconds, and end up more likely hurting your cause. How many of us have gotten some major bombshell (such as Fox News’ John Roberts saying the Covid virus was a hoax), only to find out from Snopes and other fact-checking places that we were misled.

Indeed, if you do an image search on the “foreign language” patch above, you will likely see a number of different versions: some with the correct word spellings, some with corrections with red overlays, and some with different borders and other small differences. What this shows me is how effective this patch was, and how insidious was its purpose at sowing dissent.

I wrote an earlier post about how to vet your news feed earlier this year. Take a moment to re-read it if you need a reminder along with some tips on how to evaluate potentially fake images and other propaganda. Earlier in April, WhatsApp put a limit on how often viral messages can be forwarded: just to a single person (it used to be five people). That helps, but the social platforms could do a lot more to screen for these abuses.

About ten years ago, I ended one of my columns with the following advice. Watch out for those memes, and take a breath before clicking. You might save yourself some embarrassment, and also not get played by some troll. Some things sadly never change.

How to run a successful professional web conference

Now that we are sticking close to home, we are using web conferencing tools. No matter how tech-savvy you might be, running a great conference isn’t easy and will require a collection of people with various skills: part TV producer, part sound engineer, part professional speaker, and all sprinkled with a good deal of patience and troubleshooting. For the past several months, I have been on the production team of a rather large conference for the American Red Cross. We have a team of more than a dozen people that puts on this event every month, and lately has had several hundred attendees and multiple presenters. Every month we find and fix new and interesting problems, some technical, some social, some particular to Webex.

Before I give you some lessons learned from this and other web conferencing experiences, I want to relate an anecdote from this month’s call. I was talking to one Red Cross volunteer who was having trouble getting connected. When he told me that he was at a Red Cross blood drive and actually giving blood, I suggested that maybe he should just wait and watch the recording of the event. A few minutes later, he emailed me and told me that he had figured out how to tune in for the meeting. That is devotion!

Here are some suggestions so hopefully you can make your meetings more valuable and professional. You might also want to review another blog post that talks about more general collaborative techniques. 

  • Decide whether you want to display everyone on camera, run a live demo from someone’s computer or focus on the slide presentation. You can’t really do all three well, and switching from one to another can introduce issues. Pro tip: if you are sharing your screen, you’ll want to share it from a second monitor that is using a lower resolution. 
  • Simplify, simplify. Eliminate options to help reduce user confusion, and simplify the technical details whenever you can. Keeping things simple means less to go wrong. For example, we use two chat channels: the one built-in to Webex is for the attendees to ask questions (we don’t use the Q&A feature to keep things simple) and we have separate Microsoft Teams chat sessions so the production team can communicate with each other as issues arise during the session.
  • Use a consolidated slide deck. Give a deadline when additions/changes will be accepted, thereafter the deck is locked. This means someone will be the lead producer, who will advance the slides for everyone. On Webex, there are three different ways to share your slides: “Share the actual PPTX file” (recommended), “Share Application,” or share your entire desktop. Pro tip: with this latter method, you will want to turn off notifications on your computer — Focus Assist settings should be turned off in Windows or Notification Center set to Do Not Disturb with Mac. 
  • Assign roles with care. The more you can segregate these roles and spread among different people, the better the overall experience for your attendees.It also allows the production staff to focus better and provide a better attendee experience. We typically have at least six people that run each webinar:
    • the host, who acts as a master of ceremonies and keeps everyone on schedule.
    • The lead producer, who sends out meeting reminders and calendar invites, advances the slides, does audio checks, and is charge of everyone else during the event. The producer also posts a recording of the meeting and chat sessions to the various online repositories.
    • The secondary producer, who troubleshoots problems for attendees and presenters and responds to emails during the event about production and connection problems.
    • Two chat monitors: one as backup, one who will read the questions aloud and direct the appropriate person to answer them during the meeting at specific points.
    • A graphic artist, who whips the slide deck into shape visually.
    • In addition to these roles, there are several others that work in the background. We all report to a team leader, who is ultimately responsible for organizing each month’s speakers and does final review of all of our materials prior to the meeting. We also have note-takers who organize the after-action report and follow up with any promises made during the meeting.
  • Rehearse. All presenters should have a sound check prior to the start of the meeting. We usually do this the hour before the meeting: given that we have so many presenters, we want to make sure they can be heard clearly. This is usually where the problems happen, so resolving these early is key. We usually recommend to use a headset with its own boom mic and not to use a speakerphone. Also, rebooting your PC just prior to the meeting is a good way to clear out problems. Presenters should also rehearse moving from slides to live screens and back: the transitions can be tricky under certain endpoints and web service providers.
  • Put together several documents to help your production staff: these include a sample timings sheet with speaker, topics and start and ending times, a contact sheet of everyone’s phones and emails, and other production details.

As you can see, there is a lot of work to produce a quality web conference. Feel free to share your own tips here as well.

The privacy challenges of contact tracing by smartphone apps

A number of countries — and now individual US states — are planning or have rolled out their smartphone-based contact tracing apps, in the hopes of gaining insight into the spread of infections. As you might imagine, this brings up all sorts of privacy implications and challenges. Before I review where in the world you can find an ailing Carmen San Diego, let’s look at the four major development projects that are now underway.

  • The most well-known is a joint project from Google/Alphabet and Apple that is more a framework than an actual app. Vaughan-Nichols explains the actual mechanics and The Verge answers some of the questions about this effort. The UK is poised to test their app based on this framework sometime soon. Both vendors have stated that these protocols will be incorporated into later releases of Android and iOS later this summer.
  • An open-source EU-based effort called DP-3T has developed an Apache/Python reference implementation here on Github. There are sample apps for Android and iOS too.
  • A second joint EU-based closed-source effort called PEPP-PT has gotten support from 130 organizations in eight different countries. No current apps are yet available to my knowledge on either EU effort.
  • Finally is something called BlueTrace/OpenTrace which is open source code developed by Singapore that is part of their tracing app called Trace Together. This was launched in late March. So far no one else has made use of their code.

All four proposals — I hesitate to call them implementations — are based a few common principles:

  • When a match with a known infected user is made, all data is collected and stored locally. The idea is to preserve a user’s privacy, but still give public health officials some insight into the users’ movements. Some of the implementations combine local and centralized health data, such as the PEPP framework and Singapore’s app.
  • The contacts are found through the use of Bluetooth low energy queries from your phone to nearby phones. These can reach up to a hundred feet in open air. The ACLU is worried that this data isn’t all that accurate, and has raised other privacy issues in this paper.
  • There are various encryption protocols and layers, some better than others. The goal here is to anonymize the user data and keep hackers at bay. Some information and interfaces are documented, some things aren’t yet published or won’t be made public. And of course no system is 100% fail safe.
  • The apps all rely on the GPS network, which limits their utility given that precise locations aren’t really possible. Some efforts are more sophisticated in cross-checking with the user’s common locations and Bluetooth contacts, but this is very much an inexact science. Taiwan tries to get around this by having the user call the health department and cross-check their own location history against this repository and request a test if there was an intersection.
  • Usually, the local health agency interacts with the tracking data — that is the whole point of these things. But as in the case of Singapore, do we really want a central point where potential privacy abuse could happen? How long does the agency keep this location data, for example?

You can see where I am going with this analysis. We have a lot of things to juggle to make these apps really useful. One of the biggest issues is the need to combine tracking with testing to verify the spread of infection. This paper from Harvard goes into some of the details about how many tests will be needed for tracking to be effective. As you can guess, it is a lot more testing than we have done in the US.

Yes, many of us are now sticking at home, and obeying the recommendations or in some cases the varying local rules. (Israel, for example, doesn’t allow anyone to travel very far from their homes.) But some of us aren’t obeying, or have to travel for specific reasons. And what about folks who have gotten the virus and haven’t gotten sick? Should they be allowed to travel with some sort of document or (as Bill Gates has suggested, a digital signature)?

This page on Wikipedia (while I don’t like citing them, folks seem to be keeping the page updated) lists more than a dozen countries where have apps deployed. India has multiple app deployments from various state agencies. There are also apps available in China, Israel, Norway, Ghana, the Czech Republic and Australia. You should take a look at the various links and make your own comparisons.

What should you do? In many places, you don’t have much choice, particularly if you recently returned home from outside the country. For those of us that have a choice, if you don’t like the idea, then don’t install any of these apps, and when the phone operating systems update over the summer, remember to turn off the “contact tracing” setting. If any of you are active in the efforts cited here, please drop me a note, I would love to talk to you and learn more.