Avast blog: Should you just walk away from Amazon’s “Just Walk Out” tech

If you’ve been following Amazon’s move towards having physical storefronts, you probably have seen the news about a series of different types of retail stores they have created, including bookstores, grocery stores, general merchandise stores, and shops selling prepared food. Add to this along with the fact that they’ve owned Whole Foods Markets for the past four years. In my blog post for Avast, I take a closer look at the way that these Amazon outlets collect customers’ money, how they access their data, and some of the privacy implications tied to Amazon’s “Just Walk Out” technology. These stores and technology take the collection of shopper data to the next — and perhaps creepier — level.

book review: Make it, don’t fake it (Sabrina Horn)

I’ve know Horn and worked with many of her staff for decades, since I am a freelance journalist that has written about many of her B2B enterprise technology clients.  Reading her book Make it, Don’t Fake It was part trip down memory lane, part catching up on key moments of tech history, and part appreciating her advice.

I think like many business books, the first half is strong and full of creative and great suggestions on how to become more authentic and more honest as a business leader. For example, she writes early on in the book “when you are first starting out, doing and being anything to win business is tempting and also dangerous.” I liked that she poses the question, ”Am I ready to become a business founder?” and that you need to carefully consider the exact role that you want to play in your company. She takes you through a process to disarm your fears and minimize the risk of starting your business with a series of exercises that are well worth studying. But you need the practice and the patience to do the work – if you didn’t think similar items in “What Color is Your Parachute” were for you, then this book’s advice is wasted.

Horn also gives an analysis of the common traits in the best and worst employees she has hired over the decades, something that I as a manager can relate to. For example, people who could do things that she couldn’t, and respected my authority as a boss. (I once had an employee who refused to acknowledge that simple fact, and while he was very smart, he was impossible to manage.)

Ultimately, the “hardest thing about building a great brand is keeping it that way,” and she goes on to suggest ways to investigate initiatives for both business expansion and contraction while listening to your customers and your staff carefully. And running a postmortem exercise after every time you make a big mistake or fail to get some important client.

Horn comes down on the tech bro culture, but she could have strengthened and sharpened her analysis and made it more relevant, especially in this hyper-woke world where culture can be tricky to navigate. And as this tweet proves,  “online a lot of people benefit from appearing to be friends so that they can push their brand. I don’t have it in me to be fake and play those kinds of games.” There are many dimensions to being authentic, indeed.

Book review: A Dark and Secret Place

The copycat serial killer on the loose is a common plot point, but this horror/thriller takes things a step further. Some of the steps I can’t reveal without spoilers but let’s just say this novel has some very strange stuff going on and it plumbs the depths of psychosis of several of its characters. The POV is from the daughter who has found out her mother killed herself, and she tries to figure out what happened. The two were never very close, and the death brings out many life moments that were swept under the rug and placed into dark reaches of her memories. While I am not a big horror genre reader this book worked for me as a pure thriller and mystery. The characters ring true and of course the bodies begin to pile up as the copycat killer continues to strike. Highly recommended.

Finding the right VPN isn’t so simple

Never has some imperfect corporate memory been so public before now. In recent testimony before Congress, the CEO of Colonial Pipeline admitted they had forgotten about an old VPN connection that the hackers had found and exploited. “It was an oversight,” he said. I was amazed at this revelation. Yes, we all forget about things, but this was a biggie. You might recall that a few years ago Avast had an unauthorized access to an unused VPN account.

This reminded me of my own “oversight.” Turns out I had created a second user of my password manager, something that I had setup years ago and never used. This username didn’t have the appropriate password and multi-factor protections. Even within my small company, it is easy to lose track of things.

But being forgetful is just one of several different VPN problems. If you are going shopping for a VPN, you need to consider this. Some VPNs have very good digital memories and are keeping track of your digital movements, even though they claim not to log or store your data. This could be caused by the vendors who are deliberately harvesting their customers’ data. If you aren’t paying for your VPN, chances are good that is how your VPN vendor is making money.

There is another issue, that some VPNs aren’t very well constructed and contain coding errors or make use of sub-standard encryption protocol implementations. This happened several years ago, when hackers found their way into NordVPN, TorGuard and VikingVPNs. PulseSecure VPN has had its share of problems for several years, including a recent hack that enabled back doors.

Some VPNs have the potential for leaking DNS data and IP addresses of their users. Last year, a series of reports were published (one by VPNcrew, the other by VPNmentor), that demonstrated that potentially 20M users have had their private data leaked in this way.  Not helping matters is that some of the VPNs deliberately hide their corporate ownership details to disguise the fact that they have shady origins.

So how to fix this? First, find out if your VPN vendor has paid for an independent audit. McAfee’s TunnelBear, for example, does regular security audits of their code and publishes the results. My VPN of choice is ProtonVPN, which also publishes its audit results and takes things a step further by publishing its source code too. There are other open-source VPNs too.

Second, you should understand the testing rubics that the major computer publications use in their VPN ratings. If you are ready for a deeper dive, here is a detailed explanation of how rigorous your tests need to be and suggestions for testing tools. There are various tests including the DNS Leak Test and the IPLeak test. If you want to do these tests yourself, compare the output when not using any VPN to what they show when you turn on the VPN.

And you might want to review your own infosec posture, and track down “forgotten” accounts that you have created that have fallen by the wayside. You never know what you might find.

CSOonline: CSPMs explained

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

I discuss the importance of CSPMs and what you need to know to evaluate one of them for your particular circumstances in my CSOonline post.

 

Avast blog: Reimagining staffing in the cybersecurity industry

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA’s State of Cybersecurity 2021, Part 1 report contains the organization’s update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years.

You can read my analysis of their report here on Avast’s blog.

Avast blog: Time to walk away from Amazon’s Sidewalk

Amazon is releasing a new service called Sidewalk, which allows people to share their wireless network with their neighbors over a low-power Bluetooth mesh network. If you want to read more, The main benefit would be expanding the WiFi coverage for low bandwidth devices.  Amazon explains that Sidewalk would enable outdoor devices such as security cameras and smart lamps to stay connected even when wifi connection is lost as they are often at the edge of a home’s wifi coverage.  Additionally, this service can be used for Tile trackers to locate valuables.  While the service is free, there are serious privacy concerns. I’ll tell you why you should walk away in my latest blog for Avast here.

 

CSOonline: Hacking 2FA: 5 basic attack methods explained

Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice. As Roger Grimes wrote in this article about two-factor hacks three years ago, when MFA is done well it can be effective, but when IT managers take shortcuts it can be a disaster. And while more businesses are using more MFA methods to protect user logins, it still is far from universal. Indeed, according to a survey conducted by Microsoft last year, 99.9% of compromised accounts did not use MFA at all and only 11% of enterprise accounts are protected by some MFA method. The pandemic was both good and bad for MFA uptake. I explain more about this, and touch on five ways that MFA can be compromised.

You can read more of my blog post for CSOonline here.

Book review: Chasing the Lion

54860446The workings of a counter-terrorism elite strike force are at center stage in this thriller. The team is threatened by a clever adversary who is taking advantage of the inauguration of a new president just days away. If this sounds like a story that is ripped from current events, it has plenty of realistic passages as the team struggles to figure out what is the exact nature of a threat that combines chemical weapons with potentially mind-altering drugs that could be dispersed across the Washington Mall the day of the inauguration. If you are a Clancy fan you will like the explanations of the military hardware and weaponry but there is a lot of spycraft to keep you entertained too.

Avast blog: The importance of equitable and inclusive access to digital learning

Schools continue to remain closed around the world. A UNICEF analysis last summer found that close to half a million students remain cut off from their education, thanks to a lack of remote learning policies or lack of gear needed to do remote learning from their homes. And as UNICEF admits, this number is probably on the low side because of skill gaps with parents and teachers to help their kids learn effectively with online tools.

While the situation has improved since last year and more kids are back in their actual classrooms, there are still critical gaps in math and reading skills and a wide disparity when country-wide data is compared. The equity/inclusion problem isn’t exactly new, but the pandemic has focused awareness and foreshadowed the obstacles. I discuss this in my latest blog post for Avast here.