Avast blog: The story of a video chat flaw uncovered by a teenager

You might have missed the news about a FaceTime bug that was found about a year ago. The bug enabled anyone to start a group FaceTime call with one of your contacts, even if that person didn’t explicitly accept the call. Apple disabled group FaceTime calls for a couple of days until it was able to issue a patch in iOS 12.1.4. Since then, Google security researchers have been busy finding the same bug in other group chat apps including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.

In my blog for Avast, I go into details about this bug, how a teenaged gamer discovered it, and how it was tamed.

Network Solutions blog: how to reduce privilege escalation vulnerabilities

What Is Privilege Escalation? - YouTubeOne of the most popular attack methods in IT security starts with posing a simple question: How many places in your IT infrastructure have administrative access? Unfortunately, getting to the bottom of answering this question is anything but simple, but it can be instructive. This is because understanding administrative access is perhaps one of the most important ways to defend your business computing network.

Admin access permissions are the bane of all security managers because they can serve as the golden ticket for hackers to compromise your computers. Once they figure out this privileged access, they can worm their way into your network and create all sorts of havoc. This class of problems is usually labeled privilege escalation. Fixing this will require some careful diligence, including locking down Active Directory permissions, using zero trust methods, and application sandboxes.

You can read my blog for Network Solutions here.

What’s up with WhatsApp privacy (Avast blog)

Last month, I wrote about the evolution of Instant Messaging interoperability. Since posting that article, the users of WhatsApp have fled. The company (which has been a subsidiary of Facebook for several years now) gave its users an ultimatum: accept new business data sharing terms or delete their accounts. For some of its billion global users, this was not received well, especially since some of your data would be shared across all of Facebook’s other operations and products. The change was indicated through a pop-up message that requires users to agree to the changes before February 8. The aftermath was swift: tens of millions of users signed up for either Signal or Telegram within hours of the news.

If you are interested in getting more of the details and my thoughts about whether to stay with WhatsApp or switch to Telegram or Signal, you should take a gander over on the Avast blog and read my post.

WhatsApp pushed off the change until May, which was probably wise. There was a lot of bad information about what private data is and isn’t collected by the app and how it is shared with the Facebook mothership. For example: while the change deals with how individuals interact with businesses, Facebook has and will continue to share a lot of your contact data amongst its many properties. What this whole debacle indicates though is how little most of us that use these IM apps every day really understand about how they work and what they share. My Avast blog tracks down the particular data elements in a handy hyperlinked reference chart.

The problem is that to be useful your IM app needs to know your social graph. But some apps — such as Signal — don’t have to know much more than your friends’ phone numbers. Others — such as Facebook Messenger — want to burrow themselves into your digital life. I found this out a few years ago when I got my data dump from Facebook, and that was when I deleted the standalone smartphone app. I still use Messenger from my web browser, which is a poor compromise I know.

Speaking of downloading data, I requested my data privacy report from WhatsApp and a few days later got access. There are a lot of details about specific items, such as my last known IP address, the type of phone I use, a profile picture, and various privacy settings, This report doesn’t include any copies of your IM message content, and was designed to meet the EU GDPR requirements. I would recommend you request and download your own report.

One of the sources that I found doing the research for my blog post was from Consumer Reports that walked me through the process to make WhatsApp more private. You can see the appropriate screen here. Before today, these items were set to “everyone” rather than “my contacts” — there is a third option that turns them off completely. This screen is someplace that I never visited before, despite using WhatsApp for years. It shows you that we have to be vigilant always about our privacy — especially when Facebook is running things — and that there are no simple, single answers.

Never before have we so many choices when it comes to communicating: IM, PSTN, IP telephony and web conferencing. We have shrunk the globe and made it easier to connect pretty much with anywhere and anyone. But the cost is dear: we have made our data accessible to tech companies to use and abuse as they wish.

Network Solutions blog: why are online containers so often unsecured?

In any given week, security researchers discover caches of data on cloud servers that are completely open to the public, usually containing the most sensitive information about a company’s customers. Leaks were found earlier this summer that revealed data coming from Avon as well as from Ancestry.com. This latter leak wasn’t the first breach for Ancestry — it had an earlier 2017 leak here. The problem is simple to describe and appears — at least at first glance — simple to fix. When you initially set up your online storage, you are asked who has access and what rights are accorded to each user. However, developers have hundreds if not thousands of containers to keep track of, and sometimes they forget to lock all of them down.

In my blog for Network Solutions, I discuss how to find these unsecured containers and how to prevent these leaks from happening.

CSOonline: Top 7 security mistakes when migrating to cloud-based apps

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend. There are good and bad ways to make this migration to the cloud and many of the pitfalls aren’t exactly new. In my analysis for CSOonline, I discuss seven different infosec mistakes when migrating to cloud apps.


Avast blog: The rise and fall of Parler

In the past week, we have seen the takedown of a social network by its largest technology partners. I refer to Parler, of course. The events weren’t entirely a surprise, but their velocity and totality were unusual.First, Apple and Google removed the Parler apps from the iTunes and Play stores. Then, its hosting partner, Amazon, shut down its servers on Amazon Web Services. I wrote about the issues surrounding the Parler takedown for Avast here, examining its surge in popularity and its takedown, and whether this constitutes censorship.

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.

Avast blog: Which security certification will help you grow your career?

One of the things not lacking in the information security community is the dozens of cybersecurity industry certifications that are available to burnish your qualifications. These include vendor-driven certifications from leading security companies like Cisco and Microsoft, courses that will lead towards certifications from SANS, and many others. In this post for Avast’s blog, I will guide you through this maze.

From the archives: my work for the US Congress’ Office of Technology Assessment

Seeing the attacks on our Capitol brought memories of working for Congress back in the early 1980s for this small bipartisan agency. I contributed chapters of two major research reports:

I am thankful that the Woodrow Wilson Center at Princeton has preserved these digital copies.

RSA blog: Paying Down your Technical Security Debt

As we begin 2021, one of the first orders of business is to remove some of the quick decisions we made during the beginnings of the pandemic last year. Nowhere is this more the case than with dealing with their technical infosec debt, a term coined by Ward Cunningham decades ago.  It is basically a fancy term for taking the easy route, for cutting corners and saving time by not really looking at the longer-term consequences of certain decisions that could make your IT infrastructure inherently insecure. It reflects the implied costs of reworking the code in your program due to taking these shortcuts, shortcuts that eventually will catch up with you and have major security implications in the future.

You can read the latest in my blog for RSA here.