Avast blog: How to use multi-factor authentication for safer apps

Multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key (shown here) or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access. Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes.

After the Twitter hacks of last month, I took some time to review my own security settings, and found them lacking. This just shows you that security is a journey, and you have to spend the time to make it better.

I go into more details about how to best use MFA to make your social media accounts better protected, and you can read my blog post for Avast here for the step-by-step instructions.

Network Solutions blog: Cost-effective ways to improve your network bandwidth

As more of us work from home, we need to ensure more consistent and better bandwidth connections. By better bandwidth, we mean one or more of three cost-effective methods that can be used to boost your Wifi signal, reduce network latency, and improve your wireless throughput. To figure out which method or methods will work the best for you, there are some simple tests you can perform before you go shopping for new gear, including a new home router or a better Internet provider connection plan. You should periodically test your network bandwidth and throughput to ensure that you don’t have any bottlenecks, and don’t be afraid to change your provider to get something better.

You can read my blog for Network Solutions here.

Turkish tactics with blocking social media

Today in our Congress, the four executives of Big Tech (Cook, Zuck, Bezos and Pinchai) will testify about their business practices. (You can watch this live or on demand here.) I have written previously about Apple’s issues with running its App Store here. ProtonMail’s Andy Yen has nicely summarized things from his perspective — as a vendor that is trying to make a living selling encrypted mail services. If you want a longer exposition, today’s NY Times has this handy reference piece that reviews the major issues.

Sorry to hit you with so many links but I wanted to get all that down. Who knows if Congress will act to fix things with Big Tech, but in the meantime we have gotten a preview with a potent counter-example. This week the Turkish government has issued new laws that are aimed at regulating all social media platforms with more than 1M daily users — meaning Facebook (including its WhatsApp and Instagram networks), Pinterest, Twitter, Telegram and YouTube. Basically, everyone.

The regulations call for each vendor to operate a local office in Turkey and store all Turkish data in a local data center. You can imagine the potential for abuse right there. The staff of each office will also be responsible for blocking content requests from the government, and need to respond within two days or risk huge fines. The new law is supposed to go into effect October 1. For several years, Turkey has been blocking all Wikipedia content — and only lifting this restriction in January. And they have been after Netflix as well, resulting in four productions closing up. Ironically in the US, Netflix has received a boatload of Emmy nominations this week. The Times cites one statistic that the government last year blocked more than 400,000 websites.

I wanted to see for myself what actually has been going on with Turkey, and I went to the various “transparency reports” produced by the Big Tech vendors. No doubt in today’s testimony these reports will be cited several times. The reason why I put them in quotes is because figuring out any meaningful information from these reports isn’t easy, as you might suspect. Each of the Big Four vendors has a different format (innovation is alive and well) that makes it difficult to compare them to each other. But to save you the effort, here are a couple of spreadsheet fragments so you can see for yourself. The quick summary: Turkey is certainly at the top (Twitter) or nearly so of the most requests to block content. For Twitter, as you see in this spreadsheet, the two columns account for removal requests by the courts (which could be politically motivated) and government-based requests, which you can see add up to more than 6,000, roughly a third of the total removal requests sent to Twitter over last year.

Facebook has a similar spreadsheet, and Russia tops their list, but Turkey is in the top 15. Here are  Google’s page of statistics for Turkey. Overall, since 2009, the Turkish government has submitted more than 12,000 requests to remove items. But it is hard to compare them with other countries unless you bring up the separate pages, and when you do that you see different ways to display the data by country that make any comparison impossible. Apple’s page on Turkey can be found here. Again, the design of this report makes it hard to compare countries, but it looks like Germany is the top place to remove content, no matter which metric you use.

Turkey is far from an open democracy, as I am sure you realize. My point here is that while this recent legislation is poorly designed (and will no doubt be challenged and could be modified before it actually takes effect), it should serve as a warning for our government to try to do the right thing, however you want to define that. I wish our Congress a lot of luck, especially trying to do this in an election year. In the meantime, have fun trying to interpret all these numbers and making sense of them.

Avast blog: Why Emotet remains an active threat

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out life as a simple banking Trojan when it was created back in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MUMMY SPIDER. What made Emotet interesting was its well-crafted obfuscation methods. Proofpoint posted this timeline:

Over the years, it has had some very clever lures, such as sending spam emails containing either a URL or an attachment, and purport to be sending a document in reply to existing email threads.

You can read more on Avast’s blog here.

Network Solutions blog: Tools and tips for best practices for WFH network printing

Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. In my latest blog post for Network Solutions, I suggest several strategies to help you understand the potential threats and be able to print from home securely, including what IT managers can do to manage them better and what users can do to avoid common security issues.

How cybercrime has become boring work

To those of us who have seen one of the classic cybercrime movies, hackers are usually social misfits with an ax to grind and come with plenty of attitude. A new academic research paper takes issue with this profile, and indeed its title is somewhat intriguing: Crime is boring.  Let’s take a closer look.

The paper begins by describing how cybercrime has shifted to more cloud-based specialized and subscription services, mirroring the general direction that has happened in the legit IT world. Several years ago, cybercriminals sold their malware — now you can find just about anything for free on open-source marketplaces — again, mirroring this general trend in the legit world.

But as the tech has evolved, so has the units of work done by the typical cybercriminal. These jobs are very similar to maintaining the back-office infrastructures of an insurance company or any global business. The majority of people involved in cybercrime are doing the grunt work, such as evaluating different online services, running various scams and acting as resellers. In the past, cybercriminals could be found on dial-up BBS’ or IRC channels. Now they populate Discord, Telegram and other online chat groups.

As a result, the researchers from University of Cambridge (UK) Cybercrime Center have found that “there has been a change in the kind of work involved in the typical cybercrime economy.” Far from the exciting dramas depicted in the hacker movies, much of the work has become fairly routine and even dull, “the underground equivalent of a typical office job.” Or at least the office jobs that we once had at the beginning of the year.

The research involves interviewing admins who operate a variety of several cybercrime services, such as booters and stressers (which form the underpinnings of denial of service attacks). One person was quoted as saying “Creating a stresser is easy. Provider the power to run it in the tricky part.” They describe three malware situations in more detail: the botnet herders, the evolution of the authors of the Zeus banking trojan, and underground marketplaces hosted on the dark web. The booter services have something in common with legit web services: they need a solid customer-facing portal to track users, collect payments and manage the actual attacks. Some of these booters operate more than a dozen different websites that need to be maintained and to be configured and tested for continual operations. This often means a substantial investment in customer support, such as running a problem ticketing and tracking service or realtime text chat. Sound familiar?

The research pulls together a set of eight key features of the unknown cybercrime worker, ranging from support for broader illegal activity to diffusing risk and maintaining stability and transparency of the criminal infrastructure. I have never thought about cybercrime in this fashion, and it made for some interesting reading. The authors also mention that the often-publicized crackdowns on online criminals can “in fact unite communities, giving them a common sense of struggle and persecution” and purpose. Perhaps a different strategy of having law enforcement interventions that focus on the economics of boredom and encouraging burnout could be a viable substitute instead of the “whack-a-mole” current approach.

Network Solutions blog: How to Secure Mobile Devices from Common Vulnerabilities

The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse and, of course, we mean your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control and some not. These mobile malware efforts aren’t new. Sophos has been tracking them for more than a decade (see this timeline from 2016). There are numerous examples of attacks, including fake anti-virus, botnets, and hidden or misleading mobile apps. If you want the quick version, there is this blog post for Network Solutions. It includes several practical suggestions on how you can improve your mobile device security.

You can also download my ebook that goes into more specific details about these various approaches to mobile device security.

How to minimize your cyber risk with Sixgill

In this white paper sponsored by the security vendor Sixgill, I explain why the dark web is such a critical part of the cybercrime landscape, and how Sixgill’s product can provide cybersecurity teams with clear visibility into their company’s threats landscape along with contextual and actionable recommendations for remediation. I cover the following topics:

  • How the dark web has evolved into a sophisticated environment well suited to the needs of cybercriminals.
  • What steps these criminals take in the hopes of staying hidden from cybersecurity teams.
  • How Sixgill uses information from the underground to generate critical threat intelligence – without inadvertently tipping cybercriminals off to the fact that an investigation is underway.
  • Why Sixgill’s rich data lake, composed of the broadest collection of exclusive deep and dark web sources, enables us to detect indicators of compromise (IOCs) before conventional, telemetry-based cyberthreat intelligence solutions can do so.
  • Which factors businesses and organizations need to consider when choosing a cyber threat intelligence solution.

You can download my white paper here.

Avast blog: Your guide to safe and secure online dating

Recently, information from five different dating sites have leaked millions of their users’ private data. The sites cover users from the USA, Korea and Japan. On top of this, a variety of other niche dating apps (such as CougarD and 3Somes) had data breaches of their own that exposed hundreds of thousands of users’ profiles in May, including photos and audio recordings. This latter event occurred thanks to a misconfigured and open Amazon S3 storage bucket. Thankfully, the owner of the account quickly moved to secure it properly when they heard from security researchers. We haven’t heard much about dating site breaches since private data from some 30M Ashley Madison users were posted online in 2015.

In this time of the pandemic when more of us are doing everything we can online, dating remains a security sinkhole. This is because by its very nature, online dating means we eventually have to reveal a lot of personal information to our potential dating partners. How we do this is critical for maintaining both information security and personal safety. In this post for Avast’s blog I provide a bunch of pointers on how to do this properly and provide my own recommendations.

Tales of IT bottlenecks in these Covid times

Having worked in IT for several decades, it is always interesting how past tech choices have come back to thwart us, showing weaknesses in our infrastructure and how the word legacy is often used pejoratively in our field. Consider the lowly fax machine, which many of us have not thought about in years.

In the early 1990s if my memory serves me, we had plug-in modem cards for PCs that also supported sending and receiving faxes. These were eventually replaced with technologies that could be used to transmit faxes across the Internet. (That link is woefully outdated and many of those vendors have gone away. Sorry! But at least you have some historical record to understand the context.) Why am I talking about faxes?

The NY Times recently posted this story about how the fax machines located in many public health offices is the latest bottleneck in our response to the pandemic. There is a photo included in the post of a pile of faxes taller than I am produced by one of these machines, located in a Houston office. This shows how we can have all the latest and greatest digital technology we want, but then things break with something that we have since forgotten about, like the fax machine. Humans will have to review all these faxes and try to sort things out, often re-enter the data and search for missing elements, such as details on the actual patient who is tested.

As someone who has had my own health challenges (although not Covid-related, at least not yet and hopefully not ever) over the past few months, I have come across a few digital bottlenecks myself. At my last hospital visit, I had to wait around for more than hour for my appointment for a very frustrating reason: my appointment wasn’t entered correctly “into the system” and the only way I could be seen and treated was for the staff to get hold of someone at Epic support to clear my appointment and then have it re-entered. No one at the hospital IT department could do this, apparently. Epic is the electronic medical record (EMR) provider of my hospital and for reference their motto is “the patient at the heart.” Yes indeed.

Let me tell you another digital bottleneck that I experienced. I was very careful to pick my treatment with a doctor that had experience with the particular surgery that I required and that I could communicate with readily using the Epic messaging portal, which they brand as MyChart. Often he answered my inquiries within minutes after I posted them to the portal. As a result, I have gotten very familiar with the MyChart portal and have used it frequently during my treatment over the past several months.

I have learned over the years that doctors who are digital natives, or at least comfortable with the technologies that I use (email and the web), are those doctors that I want to treat me. But when I had complications from surgery that required other doctors to get involved in my treatment, I was really at their mercy. Often all I had was a phone number that would page someone on call, if I had a problem that needed help in off-hours. I wasn’t prepared for that at all. It was frustrating because I went from a position where I was quite comfortable with the level of communication with my primary surgeon to going back to the pre-Internet1960s-era tools for my care. It was almost as if we were faxing each other.

These problems and bottlenecks have a simple root cause — we as a country have made some bad decisions on how patient data is stored, protected, and disseminated years ago. While it is true that few of us could have foreseen the pandemic, these past decisions have had a long shadow. In our rush to spread blame about what is happening with the virus now, some of these past decisions could have been made differently to lessen the impact today.

When fax tech was going out of style in the late 2000’s, I wrote this post for Baseline Magazine about some of the lessons learned from the fax machine. There are four important ones that bear repeating:

  • Interoperability matters.
  • Simplicity matters.
  • Real-time communication matters.
  • Privacy matters.

If we examine the fax breakdown during the pandemic, we can see these four lessons are still very much relevant. I ended my column by saying, “So the next time you have to build a new application, consider the lowly fax machine and what it does right. Take these lessons to heart, and you will have a leg up on building better and more useful applications.” Maybe we can finally learn these lessons to be prepared for the next pandemic.