About a month ago, Twitter removed its policies blocking Covid misinformation. This has led to the spread of various flights of fancy, many of which are dangerous if taken seriously. We all know why this was done and by whom. I have written about this topic before in 2020 in this blog post that I urge you to review. Sadly, the situation has gotten worse.
Today in the NYTimes is an article about how misinformation continues to spread across social media. This prompted me to examine the Covid policies of various social media platforms. Let’s take a look at them.
Interestingly, Facebook has the most specific policy set here, running to more than 4,000 words. They address specific false claims (I won’t repeat them here but it is a depressingly long list) and how the content can create potential harm to its users in the real world. The aim is to “reduce the distribution of content that does not violate our policies but may present misleading or sensationalized information about vaccines in a way that would be likely to discourage vaccinations.” That is an important point. One thing that I didn’t like was the way the policies were presented, with web links to other policies (such as bullying and hate speech) that are relevant but making it hard to track and digest.
YouTube has its policies here. Not quite 1500 words, it still goes into specific details about what content isn’t allowed. Again, I am not going into any details but some of this stuff — as with Facebook’s recitation — is just bonkers. Also in the policy is a description of the consequences if you do post this content. That is perhaps the most useful element: three strikes within 90 days and your channel is “terminated.” None of the other platforms have this spelled out.
TikTok has the least helpful information here. Their community guidelines pages has no mention of Covid, and this link (which is really more of a press release) is short on specifics.
Whether or not you agree with how and what the social platforms should do about Covid misinformation, the fact remains that vaccines — especially the Covid ones — save lives, and have lessened the impact of those who have gotten the virus. And spreading false claims about what can protect you from disease is just another way for things to “go viral,” sad to say.
One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out as a simple banking Trojan when it was created in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MummySpider. Emotet malware is back in the headlines and continues to be one of the most significant threats facing companies today. In this review for A10 Networks, I describe what it is and how it works and how to defend against it using a combination of network and security tools.
Bruce Schneier’s work has withstood the test of time and is still relevant today.
If you’re looking for recommendations for infosec books to give to a colleague – or even to catch up on some holiday reading of your own – here’s a suggestion: Take a closer look at the oeuvre of Bruce Schneier, a cryptographer and privacy specialist who has been writing about the topic for more than 30 years and has his own blog that publishes interesting links to security-related events, strategies and failures that you should follow. In my blog post for Avast today, I review some of his books.
The 38 member countries of the Organization for Economic Cooperation and Development (OECD) have recently adopted a new international agreement regulating government access to its citizens’ private data. The OECD draws on its membership from countries on several continents, including the US, Israel, Japan, Chile, the Czech Republic, and the UK. The document was released with the rather ungainly title of the “Declaration on Government Access to Personal Data Held by Private Sector Entities.”
There are seven common principles that were adopted, all in the interest of serving to the free flow of data across country borders and promoting trust between citizens and their governments.
You can read more on my post for Avast’s blog today.
A July 2022 survey of 300 U.S. Department of Defense (DoD) IT contractors shows a woeful lack of information security in the majority of situations. These contractors are part of the DoD’s supply chain that, in typical government speak, is labeled the Defense Industrial Base (DIB). The report should be a warning even for those technology contractors that don’t do any DoD work, as I explain in my latest blog for Avast.
Last week, an international group of law enforcement agencies took down one of the biggest criminal operators of a spoofing-as-a-service enterprise. Called iSpoof, it collected more than $120M from victims across Europe, Australia, Ukraine, Canada, and the United States. During the 16 months of the site’s operation, the group took in more than $3.8M in fees from its victims. In my blog for Avast, I summarize what happened, why this gang was so significant, and how spoofing has gotten more advanced over the years since those early days when Paris Hilton spoofed her friend’s cellphone.
With the reinstatement of previously banned Twitter luminaries including Donald Trump and Kathy Griffin, this is a good time to do further research into the role of social media in our public discourse. The recent book by Max Fisher, The Chaos Machine: The Inside Story of How Social Media Rewired Our Minds and Our World, should be on everyone’s reading list. His book documents the rise of social networking for the past decade and shows its highly influential role in society. Fisher is a reporter for the New York Times who has covered its effects for many years.
I review his book for my blog for Avast here. I highly recommend it, even if you think you have been following along the evolution — some would say the devolution — of social media.
One solution is from Google’s Jigsaw unit, who has a couple of experimental tools freely available, such as the Tune browser extension that can be used to filter the most toxic discussions.
Network security starts with having a well-protected network. This means keeping intruders out, and continuously scanning for potential breaches, malware and flagging those attempted compromises. One of the biggest threats increasing in popularity is a very specific type of attack called distributed denial of service (DDoS) attacks. These attacks are targeted at your internet servers, including web and database servers, and are designed to flood random traffic so that the servers can’t respond to legitimate users’ queries. They are very easy to mount, and without the right tools, very hard to prevent.
This post was part of the A10Networks glossary and can be found here.
AI is a double-edged sword. It has enabled the creation of software tools that have helped to automate tasks such as prediction, information retrieval, and media synthesis, which have been used to improve various cyber defensive measures. However, AI has also been used by attackers to improve their malicious campaigns. For example, AI can be used to poison ML models and thus target their datasets and steal login credentials (think keylogging, for example). I recently spent some time at a newly created Offensive AI Research Lab run by Dr. Yisroel Mirsky. The lab is part of one of the research efforts at the Ben Gurion University in Beersheva, Israel. Mirsky is part of a team that published a report entitled “The Threat of Offensive AI to Organizations”. The Offensive AI Research Lab’s report and survey show the broad range of activities (both negative and positive) that are made possible through offensive AI.
You can read my latest post for Avast’s blog here.
Qualys’ annual security conference returned to a live-only event this week at the Venetian Hotel in Las Vegas, and the keynote addresses started things off on a very practical note… about selling coconuts, toasters, and carbon monoxide detectors. The first two keynotes featured speeches from both Shark Tank celebrity businessman and CEO of Cyderes, Robert Herjavec, and Qualys’ President and CEO, Sumedh Thakar. Both spoke around the similar theme of qualifying and quantifying digital cyber risks.
I am doing near-time blogging of their show, and this was the first of a series of posts.
The second post was a recap of the first day’s events, and included highlights from some of their customers and product team as they took a deeper dive into TotalCloud.
The third post profiled the special launch of the Qualys Threat Research Unit, showing some of its research and how it compiles threat intel and works with various industry bodies to share this data.
The next post highlights some of Qualys’ customers who came to the event to tell some of their stories about how their companies have benefitted from their products.
My final post recaps the second day of the conference sessions and some of the more interesting aspects of various Qualys products.