Avast blog: Beware of SEO poisoning

Holy SEO Poisoning Attack Example: SolarMarker Malware - Blog | Menlo  Security

Getting infected with malware isn’t just clicking on an errant file, but it usually occurs because an entire ecosystem is created by attackers to fool you into actually doing the click. This is the very technique behind something called SEO poisoning, in which seemingly innocent searches can tempt you with malware-infested links. The malware chain begins by an attacker generating loads of fake web content that are intended to “borrow” or piggyback on the reputation of a legitimate website. The fakes contain the malware and manage to get search results to appear higher on internet search engines. In this post for Avast’s blog, I describe the practice and offer some tips on how to steer clear of this problem.

These two political opposites can agree on these five things

By David Strom and David Strom  

No you are not seeing double: we are two different people. Democrat David Strom and Republican David Strom. 

Having a well-worn internet presence means that after some time, you get to meet some of your namesakes. Since both of us are authors (Minneapolis David is a Republican who writes on conservative political topics. And as you know me — St. Louis David — as a Democrat who writes about business technology), we thought we would jointly pen a blog post about things that we can both agree on — and where we diverge as well — for our respective audiences. We found these five broad topics.

1) A path towards legal immigration

We both agree that our immigration laws should be updated to allow for a legal path towards citizenship for those who come to our country. That leaves plenty of daylight between us in terms of how this will be implemented, but both of us aren’t happy with the current situation. 

Minneapolis David: It’s not just a truism that immigrants built this country–they continue to make enormous contributions to America. But you can have too much of a good thing, and as we have seen open borders have created a crisis that is splitting this country apart. It’s time to get control of our border and a consensus on the number of immigrants the country can import without causing social distress. 

St. Louis David: I was surprised when I learned how few countries offer birthright citizenship. We need some consistent policy among the various government branches and across federal, state and local authorities. Wishful thinking, I know.

2) Respect for the rule of law and individual decency

BOTH DAVIDS: Calling for the overthrow of our government by anyone shouldn’t be tolerated. The same holds for threatening law enforcement members, or members of Congress, or really anyone for that matter. We should tolerate people of different points of view — one of the reasons why we are jointly writing this blog post. (Democrat David is married to a conservative Republican, BTW.) And by tolerate we mean being able to disagree without the threat of any violence on that person.

Talk of a civil war–and the increasing number of violent incidents related to political disagreements–make solving real problems nearly impossible. Distrust begets distrust. Neither of us have any idea how to solve the problem, but we need to get a handle on it. Political leaders need to take the first step to calm down the rhetoric. 

3) Understanding the role played by the First Amendment and freedom of speech

Until this year, this amendment only applied to government entities. Now we have two court rulings in Texas and Florida that have different interpretations when it comes to the role of social media and how freedom of speech protections should apply. We both deplore and avoid hate speech.

St. Louis David: Regardless of how these cases play out, all of us should be allowed to say what we want, as long as we aren’t promoting violence on a particular group.  

Minneapolis David: Maybe I read John Stuart Mill at an impressionable age, but I have long believed that the more you suppress ideas, the more disastrous the outcome. Let people speak. Some people will say things that are wrong, stupid, or just different from what you think is responsible. A lot of people will think the same of you. Deal with it. 

4) Importance of science research and respect for the scientific method

St. Louis David: This should be easy. Those people who want to “do their own research” or criticize our scientists for explaining a particular result should fully understand the scientific method of testing hypotheses and running double-blind experiments. Part of respecting scientific research is believing that innovation is a key element of this activity, and accepting the role played by innovation in our society. We may differ on how our governments implement these results, however. Neil DeGrasse Tyson offers some sound advice in his latest book: “Do whatever it takes to avoid fooling yourself into believing that something is true when it is false,  or that something is false when it is true.

Minneapolis David: I agree with St Louis David, with a big “but.” I think that scientists have played a big role in the loss of trust in science. Science is about discovery. Its results are better or worse hypotheses. The goal is truth, but we can only approximate the truth asymptotically (look it up!). Scientists need to project more humility, or their mistakes will only undermine confidence. Example: nutrition science, where it seems like they get it wrong all the time, but with great confidence. 

5) Respect for life 

Both of us agree that we should respect life, which we hinted at above. But we realize that we all might have different definitions of what constitutes the precise moment when we think it begins or ends. Polling shows that there is ample room for reasonable compromises. 

St. Louis David: I believe that our government should allow women to choose, and not make their choices a criminal act. 

Minneapolis David: I consider myself “pro-life” in the sense that you know it. I also understand that there are legitimate differences about how we can best determine when life begins. We need to get beyond shouting at each other and have serious discussions, not shouting matches. 

One final note on something we can also agree on: both of us are Mac/iPhone users, and both of us have re-invested in Apple products this past year. 

KYC — Know your customer

KYC – Know Your Client – Argos KYC – ARGOS KYCTwice this week I have run into issues involving KYC or know your customer policies, and both were rather odd circumstances. I am preparing to go visit my family in Israel, and this time around I am purchasing an eSIM or virtual SIM card for my phone. Before I could do so, however, I had to upload a photo ID and my own portrait to verify that I am indeed a real person. The process was very smooth and just took a moment to get it all organized.

The second KYC moment happened as part of being onboarded for a new client. (Don’t you just love that term? It seems like it is almost as painful as waterboarded.) I got a strange email from someone in India, who was asking me to get on a Zoom call to verify that I am who I said I am. Now, I had never corresponded with this person, and my contact hadn’t prepared me for the email. So I fired off my own email to my contact to do a bit of my own KYC intelligence.

I don’t fault them for being careful. Things aren’t what they appear to be these days. Remember my blog post from earlier this year about inadvertently hiring North Korean developers? I was reminded of this from a recent post by Brian Krebs about fake CISOs that are on LinkedIn. What is worse is that these phonies have made their way to one publication’s “top CISO” list. You can’t vet people enough. Many of the job descriptions on LinkedIn were clearly lifted from real people. Krebs suggests that LinkedIn could make things easier by including a “freshness” date when the profile was first created, which is something that Twitter does.

Finding authentication in interesting places

What does baseball memorabilia have to do with the recent Uber hack? It turns out both depend heavily on authentication. I wrote about the latter for Avast here. The hacker — who claimed to be from Uber’s IT department — set up a man-in-the-middle portal that tricked an Uber contractor into revealing his authentication credentials. This is the same person, or group, that also broke into a gaming studio recently. The contractor did have multifactor authentication enabled, but wasn’t paying attention and the hacker was able to fool them into entering the credentials.

And this week Microsoft researchers found other hackers using malicious OAuth applications were compromised because they lacked any multi-factor authentication credentials.

Authentication — proving you are who you say you are — figured large in a series of emails that I had to regain control over my wife’s website. I had to show both a government picture ID and that I had some financial responsibility over the account. As if that wasn’t enough, I started reading this piece in the NY Times about how Major League Baseball authenticates the items used in its games. Remember how you could just catch an errant fly ball or better yet, one used for a home run? Well, MLB has made some effort to ensure that the ball so used is actually legit, using a chain-of-custody process (off-duty cops collect the items and certify them) along with special tamper-proof holograms that are placed on the objects used during its games.

The Times piece mentioned that lots of stuff gets authenticated, particularly at the end of a season or when a player is about to break a record. These include not just the bat and ball but shoe spikes, gloves, the actual bases, uniform clothing and even the dirt on the infield and decommissioned Shea Stadium seats. Our home team favorite, Albert Pujols, will have specially-marked balls pitched to him for the rest of the season as he climbs the home run chart. About half a million items used in the games a year are authenticated, according to MLB officials.

MLB began using holograms back in 2001, according to this webpage, and this year improved on the tags. They are placed on a variety of memorabilia objects and licensed MLB products, each with a unique code that can be looked up on that page (or on the page of tech supplier, Authenticators Inc.) to determine if it is authentic. (The MLB page returns the status in the URL with the code explicitly listed, which probably means it could be subject to an injection attack, but what do I know?)

The tags are produced by OpSec Security, which also does tags for a wide variety of manufacturing vendors (such as used by GM Europe to insure that genuine parts are sold).  If you try to remove the tag, the hologram is unreadable. Of course, this means your souvenir has this tag on it, but I am guessing that most collectors would rather have the assurance that their item is the real thing.

While Uber’s next step to up their authentication ante will most likely be to use FIDO2 tokens and passkeys, maybe they need a few MLB umpires and off-duty cops to get involved in auditing their authentications.

Nicki’s Central West End blog: Coding camps in the neighborhood

I live in an area of St. Louis called the Central West End, and we are fortunate to have not one but two world-class computer coding training facilities located here: Launchcode and Claim Academy. Both have been in operation for several years and have trained numerous programming professionals through some innovative instruction techniques and by focusing on non-traditional sources for their students. By non-traditional, I mean classes designed for people that have little or no formal programming experience and who want to make a mid-course career correction. In this post for a local blog, I describe their programs, their cost, and their advantages in training newbie programmers.

If you are interested in a programming career, you might want to first read a blog post that I wrote many years ago on how to pick the right online class for Computerworld. I cover things such as knowing what type of learner you are (visual, auditory, etc), figuring out if you have the necessary bandwidth to devote to the classes, thinking about what other support you will need besides the lectures, and understanding what learning programming skills really means.

Avast blog: Your out-of-date medical device could be leaving you vulnerable

Roughly a third of all connected devices have insecure defaults, such as no or weak password protection or poor software design, that make them ripe for exploits.

Last week, the FBI’s Internet Crime Complaint Center issued a public warning claiming that they have “identified an increasing number of vulnerabilities posed by unpatched medical devices.” They stated that these devices, such as insulin pumps and pacemakers, are running outdated firmware. They also lack adequate security features, meaning that hackers could change device settings and create dangerous conditions for the patients who literally depend on them. All of this isn’t a new problem, but the FBI’s notice is a good reminder of how law enforcement might focus its attention in this area. There is more to this story, read my blog post for Avast here.

Avast blog: How Uber was hacked — again

Last week, an 18-year old hacker used social engineering techniques to compromise Uber’s network. He compromised an employee’s Slack login and then used it to send a message to Uber employees announcing that it had suffered a data breach. Uber confirmed the attack on Twitter within hours, issuing more details on this page.

CSO went into details about how the attack happened.

The company claims no user data was at risk, they have notified law enforcement, and all of their services have been restored to operational status. In this post for Avast, I explain what happened and suggest a few lessons to be learned from the experience on how to prevent a similar attack from happening to your business.

Book review: Mother Daughter Traitor Spy

The novel tracks pretty closely to the real-life mother/daughter duo that lived in LA in 1940 and spied on a group of American Nazis who were organizing various meetings and propaganda efforts before we officially entered WWII. The two infiltrated the group, taking notes and names and eventually providing the details to the FBI. What is interesting about this story is how many parallels we have with present-day America, and the power of disinformation and hate to polarize and energize the general public. The mother/daughter duo — who have German heritage — have various adventures as they try to keep up appearances and convince the Nazis that they are genuine sympathizers, even though they want nothing to do with them. Coming on the heels of the new Ken Burns documentary about American’s role during this period, it presents some thought-provoking choices that were made.

Using Data Theorem’s Cloud Secure to protect cloud native applications

We tested Data Theorem’s Cloud Native Application Protection Platform called Cloud Secure in September 2022. Cloud Secure provides two major advantages:

  • It includes extensive and free CSPM protection to any customer
  • It automates cloud hacking with its Hacker Toolkits. These automate full-stack attacks of popular data breaches. This option starts at $4000 for an annual subscription.

Cloud Secure is one of five products that make up a CNAPP solution that offers a full stack security approach to all  their cloud-based applications. With full stack security, customers can visualize and take action on all their first and third-party APIs, cloud resources, mobile, and web applications built on cloud-native services. Data Theorem has a central analysis, policy and reporting engine that works across its product line. They protect workloads on Amazon Web Services, Google Cloud Platform, Kubernetes clusters and Microsoft Azure clouds.

Cloud Secure is available Cloud Secure is available for a 30-day free trial, and can be purchased from the three major cloud marketplaces, with full pricing details available here.

CSOonline: CNAPP buyer’s guide

Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms. Enter the Cloud Native Application Protection Platform or CNAPP. IT managers are looking for a few basic elements from these products, including more accurate threat detection, support for all workloads across multiple cloud deployments, and ways to implement preventable controls.

cso cnapp vendors tableEven still, that is a lot of software to manage, integrate, and understand. However, almost none of the products that claim to be CNAPP have a full set of features that incorporate all four of these categories. In this post for CSOonline, I explain the landscape and show you how to navigate amongst the contenders.