Avast blog: Just because your iPhone is powered off doesn’t mean it can’t be attacked

Did you know that even when your iPhone is turned off, some of its components are still getting power? Researchers have found this to be one of the reasons why a new attack vector can operate without your knowledge. The issue lies with the iPhone’s Low Power Mode (LPM) and the fact that while using this functionality, certain communications chips continue to operate. Apple’s LPM features were introduced as part of iOS 15 and enable things such as Find My Phone, which can continue to track and function when a phone is turned off. You can find out more about this, and how it stacks up with air-gap research and NSO’s Pegasus, in my latest blog for Avast here.


CSOonline: How to choose a certificate management tool

Many years ago, Madonna sang about sharing her secrets with us. While the IT version may not be as entertaining as what was discussed in that song, there are still important reasons to understand your corporate encryption secrets and how they are provisioned, managed and deployed. The tools to do this go by various monikers, including SSL/TLS certificate or key management tools, machine identity management, or PKI as a service.

These secrets are found all over the IT map, including those for servers, for applications, to encrypt your email messages, for authenticating to connect with IoT devices, to allow you to make edits to a piece of code, and for user identities to have access to a particular shared resource.

cso email security suites table

I mention the above products and some of their important features, along with other aspects  about how to manage your certs in my post for CSOonline here.

Red Cross blog: Brian Mintner Delivers Blood and Much More

Saving lives isn’t just some abstract concept for the American Red Cross. Volunteer Brian Mintner not only delivers lifesaving blood to people he’ll never meet, he is directly responsible for saving one specific life. Brian is the manufacturing transportation supervisor for the Missouri-Arkansas region of the Red Cross, coordinating the movement of blood products collected from donors and ensuring they are transported to various hospital blood banks. He oversees a vast transportation network that, he admits, “is a brutal chain of custody.”

In my blog for the Red Cross, Brian (whom I also work for as I am one of his volunteer drivers) is profiled.

Who killed Shireen?

CPJ calls for swift, transparent investigation into shooting death of  Al-Jazeera's Shireen Abu Akleh while reporting in West Bank - Committee to  Protect JournalistsThe killing of Al Jazeera veteran journalist Shireen Abu Akleh last week has haunted me in the days since it happened. She was covering a raid by Israeli forces in the refugee camp of Jenin in the West Bank. For specifics about what happened, I would urge you to read Bellingcat’s analysis.

The Israelis initially said she was killed by Palestinians, then changed their story to say they weren’t sure who actually fired the fatal shot. Various other sources, including representatives of the Palestinian government and various Al Jazeera reports that have aired in the past week, claim it was Israelis, and done deliberately. These reports state that a sniper took careful aim at Shireen because she was wearing body armor and a helmet. The single shot hit her head just below her ear, which wasn’t protected.

The map shows her position (the red dot at the top), as well as the positions of Army forces and Palestinians. Both groups were similarly armed with M4 assault rifles using the same ammunition. I’ll get back to this in a moment.

What is even sadder about the circumstances surrounding Shireen’s death are the circumstances around her funeral. There were additional clashes with the Israeli army and police at both the hospital morgue and the church where her services were held. I am not going to link to the video clips but let’s just say it is pretty clear that “clashes” is probably not the best descriptor. Tensions and emotions were high, and it was ugly.

There have been 19 journalists killed in Israel (including Gaza and the West Bank) over the past two decades. That link will take you to the Committee to Protect Journalists — two other people have been killed there without confirmed motives. What makes this more personal for me was first, Shireen was a dual American/Palestinian citizen and a journalist. She is buried in the Christian cemetery that I visited three years ago when I was searching for the grave of Oskar Schindler. The route that took her to the cemetery is one that I have frequently walked over my many visits to the city. Finally, I have seen numerous reports of hers over the years that I have watched the Al Jazeera English channel, and admired her reporting and how often she was in the line of conflict. She was amazingly courageous.

Now, figuring out the origins of that bullet aren’t going to be easy. The Israelis and Palestinians don’t want to work together, but to have a definitive answer means you need to test the guns that were used that day. Some of them have been collected, but the chain of custody is probably broken on both the bullet and the weapons. Never has a single bullet carried so much weight since that November day in Dallas when JFK was killed.

I mourn Shireen’s death greatly.

Avast blog: How to make a successful transition to a hybrid work schedule

Employers should migrate to a hybrid environment only after building a solid foundation to support remote workers. As Covid-19 pandemic restrictions have eased, employers are adjusting their work-from-home policies. Some companies, including Airbnb, have doubled down and made substantial commitments to remote working. Others, like Google, have begun to shift to more in-person and hybrid office policies. This range just among the two tech giants is an example of the different possibilities being considered by other employers. According to a 2017 Gallup poll, 43% of U.S. employees worked remotely all or some of the time.

Part of the reason for this difference has to do with how all of us have adjusted to working in the face of the pandemic. I explain more in this post for Avast’s blog.

The changing digital business climate in India

Late last month the Indian CERT issued a ruling directed at improving its breach security. The ruling has some big impact in terms of limiting the privacy of its computer users, and how digital business is conducted there. The news has centered around its effect on VPN operators, but the ruling also affects data center providers and “intermediaries,” which could be any ISP or indeed any digital business that has Indian origin. The ruling isn’t final but is supposed to go into effect next month.

— First, businesses must notify the CERT within six hours of any breach or security incident, and provide any system logs that have to be maintained for six months. These incidents are described across a wide collection of situations, including website defacement, identity theft, DDoS, data theft, wholesale port scans and other attacks. The six-hour window is a pretty tight one, and other geographies have much longer notification periods (The EU’s GDPR is 72 hours for example.), and in some cases, businesses may not even know of a breach during that short time period.

— Second, digital businesses must collect log a variety of user data, including valid names, IP addresses, public encryption keys, emails, physical address and phone contacts. CERT requests that any vendor keep these logs for up to five years. The businesses specifically mentioned in the ruling include remote access vendors, VPN operators, cloud providers and data centers. But it could apply to any company that has a bunch of programmers in India, which is certainly a common situation for perhaps most large international companies.

The actual logs are being collected to enable the CERT to reconstruct individual transactions so they can identify the parties involved. That is a tall order, because it assumes that businesses will have to collect a lot more data about their customers than they have done previously.

As you might imagine, this has thrown many businesses into a tizzy, because of the onerous provisions in this ruling. What is curious is that the role of India’s CERT has moved beyond its lane, which is typically the national agency (our CERT which began its operations in Pittsburgh) that handles breach reporting and makes recommendations when they are observing increases in computer attacks.

The five-year log collection period is what I want to focus on. As I said at the top of this post, the news has mostly focused on VPN providers, and indeed they have reacted with some trepidation. Some have said they might have to forgo their Indian operations. “Forcing VPN providers to track user traffic and their private data is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers,” said Artur Kane, the CMO at VPN provider GoodAccess.com.

The data retention piece of the regulation is also an issue. Part of the issue, as I mentioned in my earlier reviews of VPNs, is that figuring out data retention policies and practices is very difficult, and almost every vendor has problems here. But there is another side as well: “Asking VPN vendors to retain this amount of customer data is without precedent in democratic countries” Kane said.

Many VPN providers have claimed “no logs” as part of their marketing strategies. This is almost as ridiculous and nearly unprovable as their claims for “military-grade encryption.” CNet wrote this piece a few years ago about why you should be so skeptical about these claims — there are numerous types of logs, and numerous ways to collect and dispose of this data. “No matter how much we trust any particular VPN to help mask our internet browsing, it’s virtually impossible to verify whether a VPN truly keeps no logs,” they wrote. I agree. If you want to research this further, read this analysis by Consumer Reports on how many VPNs keep local logs (on your own machine).

While getting better intelligence about cyber attacks is important, the way the Indian CERT is going about this is wrong-headed, and perhaps will prevent many companies from continuing to do business in India.

Network World: Lessons learned from the Atlassian network outage

Last month, software tools vendor Atlassian suffered a major network outage that lasted two weeks and affected more than 400 of their over 200,000 customers. It is rare that a vendor who has been hit with such a massive and public outage takes the effort to thoughtfully piece together what happened and why, and also provide a roadmap that others can learn from as well.

In a post on their blog last week, they describe their existing IT infrastructure in careful detail, point out the deficiencies in their disaster recovery program, how to fix its shortcomings to prevent future outages, and describe timelines, workflows and ways they intend to improve their processes. I wrote an op/ed for Network World that gleans the four takeaways for network and IT managers.

Avast blog: Top MFA myths busted

Today is World Password Day. Ideally, every day you should take some time to improve your password collection, and the best way to do that is to use MFA. But for all of its utility, MFA still has its resistors. If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths in my latest post for Avast and hopefully help you convince folks to get onboard.

What is the online “town square” and how should it work?

renee direstaThe news about Elon Musk’s intended purchase of Twitter has brought about a lot of hooey and hand-wringing. Here are my thoughts. I first listened to a very interesting interview by ex-White House speechwriter Jon Favereau of Renee DiResta, an expert on tech policy at the Stanford Internet Observatory, whom I have quoted numerous times in the past. She makes the case that Elon has a fundamental misunderstanding of what online free speech means, even ignoring the fact that free speech only applies to governments, not companies. Renee amplifies her piece for The Atlantic that she wrote a few weeks ago, saying that Elon is more about attention than freedom (and who knows if his bid will even go through). “Free expression should be a foundational value,” she wrote. She also makes the case that all online social media products moderate their content – and most do so reactively, inconsistently or clumsily or all three. This includes Truth Social, Gettr and Parler, just to name some of the more notable “free speech” ones. (The hyperlinks will take you to their community guidelines for your future reference.)

Suzanne Nossel, the CEO of the writers’ group PEN America, writes that “Musk will learn the hard way that there is no return to a mythic online Eden where all forms of speech flourish in miraculous harmony.” However, she agrees with him (and others) that our current content moderation methods are deeply flawed. If you haven’t learned the words “shadow banned” (where followers are deleted without telling them from your social accounts) or retconned (officially sanctioned revisionist history), you will hear them more often during these discussions.

So what is the solution? DiResta and others penned this piece in SciAm, suggesting that social media companies need to become more transparent. “The only way to understand what is happening on the platforms is for lawmakers and regulators to require social media companies to ​provide researchers and others access to data on the structures of social media, like platform features and algorithms​.”​ PEN’s Nossel is also for more transparency. She suggests that more moderation is essential to prevent spammers, trolls, and other quackery from taking over social media and that “robust content moderation is here to stay,” especially to try to stem the tide of false positive takedowns of content and users. For example: TikTok restores more than 1M videos each month after initially removing them for violations. Of course, they allow millions more to be posted to their site. But still, that is an awful lot of content to judge.

I think there is a bigger question that many of the commentators aren’t really addressing: do we really want an online town square? The comparison doesn’t really work when millions of people are shouting to be heard, or in places in the world that are under the grip of authoritarians. It very quickly devolves from the marketplace of ideas to mob rule. DiResta spoke about the “high harm areas of online that are worth moderating,” which is a good way to look at this, especially given the absence of facts being spewed there and how they are amplified and become part of the conversation offline.

Avast blog: The U.S. government wants to expand the use of social media for visa vetting

For the past several years, millions of foreign visitors and potential immigrants entering the US have divulged the contents of their social media accounts to the US Department of Homeland Security (DHS). This requirement is part of the Visa Lifecycle Vetting Initiative (VLVI) that began in 2014 and has been expanded in 2019.

You can read more about the evolution and dangers of this program in my post for Avast’s blog here.