Avast blog: Fighting stalkerware

Two years ago, the Coalition Against Stalkerware was founded by ten organizations. Today, Avast is one of more than 40 members, which include technology vendors, NGOs, academia, and police organizations from various countries. The goal of the coalition is to put a stop to domestic violence abuse and cyberstalking. In honor of the coalition’s recent second anniversary, I take a look at the international alliance’s ongoing work and achievements to date in this post for Avast’s blog.

The Coalition has lots of useful resources, including a condensed fact sheet for stalkerware survivors. There are guidelines on how to decide if your devices have been compromised or if there are other ways an abusive partner is stalking your digital life. The fact sheet also contains important information on how to remove such software as well as links to organizations that provide additional support.

CSOonline: 9 cloud and on-premises email security suites compared

Email remains the soft underbelly of enterprise security because it is the most tempting target for hackers. They just need one victim to succumb to a phishing lure to enter your network. Phishing (in all its forms) is just one of many attacks that can leverage a poorly protected email infrastructure. Account takeovers (due to reused passwords), business email compromises, payment fraud, specialized mobile malware, and spam messages that contain hidden malware or poisoned web links. That places a heavy burden on any email security solution.

I have been testing and writing about these products for decades and in this roundup I touch on some of the latest integrations and innovations with nine security suites:

  • Abnormal Security’s Integrated Cloud Email Security
  • Area 1’s Horizon
  • Barracuda Email Protection
  • Cisco Secure Email
  • FireEye Email Security
  • Voltage SecureMail
  • Mimecast Email Security
  • Trustifi
  • Zix Secure Cloud Email Security Suite

As what seems like the usual operating procedure, figuring out the pricing for the numerous configurations can be vexing, with one vendor (FireEye) not providing pricing, and several other vendors who declined to participate entirely.

You can read my full roundup for CSOonline here.

Avast blog: The report from the third CyberSec&AI conference

Last week, the third annual CyberSec&AI Connected was held virtually. There were many sessions that combined academic and industry researchers along with leaders from Avast to explore the intersection of security and privacy and how AI and machine learning (ML) fit into both arenas. The conference strives to deepen the ties between academia and industry and this report for Avast’s blog dives into new and exciting work being done in various fields.

One of the speakers was Dawn Song, a computer science professor at the University of California at Berkeley. She outlined a four-part framework for responsible data use by AI that includes:

  • Secure computing platforms, such as the Keystone open source secure processor hardware,
  • Federated learning, whereby one’s data stays under their control,
  • Differential privacy, using tools such as the Duet programming language and public data sets such as the Enron email collection, and
  • Distributed ledgers that can have immutable logs to help guarantee security.

Avast blog: Improving the intersection between privacy and security

At this year’s Avast Data Summit, an internal event primarily intended for Avastians, a combination of Avast leaders and industry thought leaders gave seminars at the intersection of privacy, data, and security.

Many of the topics presented at the event can help you classify, work with, and better secure your data. Following these suggestions can better protect your customers’ privacy and improve your own corporate security profile.

Companies exist in a changing data landscape. There is an evolving collection of data sources and products that are used to produce reports, management objectives, and guide a variety of corporate initiatives such as improving customer experience and product features. The evolution of data means having a group of data curators who determine how trust relationships are determined and what data gets deleted and what is retained. This landscape was illustrated with the below diagram. I cover three main themes from the event: the importance of returning to security basics, understanding the nature of differential privacy, and how to use better tools to measure and improve your privacy and data governance.

You can read my report from the Summit on Avast’s blog here.

Avast blog: Facebook outage: How to prevent your own network failures

On October 4, Facebook was offline for about six hours due to human error. The company states that “configuration changes on our backbone routers” was the cause. In this post for Avast, I’ll explain what happened and walk through the takeaways for running your own business network. Thanks to two Internet protocols, DNS and BGP, Facebook engineers accidentally took their servers offline and prevented their users of WhatsApp and Instagram from operating their apps as well.

A more technical explanation can be found here on CLoudflare’s blog. This diagram shiows the outage of all three services:

 

Biznology blog: Understanding how collaboration happens

The PC era brought about an unprecedented transformation in the world of work, but it mostly empowered individual employees to run their own productivity apps. But with the work-from-home challenges brought about from the COVID-19 pandemic, workers must to figure out how to collaborate together. It’s now a business imperative, and it isn’t a new problem, but it’s an increasingly complex challenge not because of a lack of tools, but because we have too many to choose from. Now that more of us are working from home, how can we have a virtual experience that will work? There are two posts for Biznology:

In Part 1 of this series, we discussed the history and evolution of collaboration. We set a historical context and show you how collaboration has evolved over the past several decades by looking at some of the more interesting and effective moments in shared team productivityIn part two,  we turn to how to choose the right tools so that you can collaborate effectively.

Avast blog: Here are OWASP’s top 10 vulnerabilities in 2021

owaspLast week was the 20th anniversary of the Open Web Application Security Project (OWASP), and in honor of that date, the organization issued its long-awaited update to its top 10 exploits. It has been in draft form for months and has been updated several times since 2003, and before its latest iteration, in 2017. In my blog post for Avast, I probe into its development, how it differs from the older lists, and what are some key takeaways for infosec managers and corporate app developers.

The 2021 Top 10 list has sparked some controversy. Security consultant Daniel Miessler complains that list is mixing unequal elements, and calls out the insecure design item as a problem.  “While everyone can agree it’s important, it’s not a thing in itself. It’s instead a set of behaviors that we use to prevent issues.” He thinks the methodology is backwards: “OWASP should start with the purpose of the project and the output you want it to produce for a defined audience, and then look at the data needed.”

Red Cross blog:Mickey Shell works as Red Cross disaster mental health volunteer at 9/11

I interviewed Arkansas-based Red Cross volunteer Mickey Shell as part of a package of stories about where other volunteers were after the 9/11 disaster. To give you an idea of the scope of the organization’s services, more than 57,000 Red Crossers from across the country served more than 14 million meals and snacks, opened dozens of shelters for people who were left stranded, and connected some 374,000 times with people to provide emotional support and health services.

Avast blog: Instagram bans are now being sold as crime-as-a-service

Cybercriminals are expanding their “services” by offering to ban an Instagram user for the low, low price of $60. This was recently reported by Motherboard, whose research showed that anyone on Instagram can harass or censor anyone else. The notion is actually pretty clever, because the same criminals (and their close accomplices) can then offer a “restoration” service to the victim for several thousands of dollars.

Instagram has a support page that walks you through how to protest a disabled or banned account. It isn’t very good. In my post for Avast’s blog, I mention the issues and what you can do to harden your Instagram account.

CSOonline: How to find the right testing tool for Okta, Auth0, and other SSO solutions

If you have bought a single sign-on (SSO) product, how do you know that is operating correctly? That seems like a simple question, but answering it isn’t so simple. Configuring the automated sign-ons will require understanding of the authentication protocols they use. You will also need to know how your various applications use these protocols—both on-premises and SaaS—to encode them properly in the SSO portal. It would be nice if you could run an automated testing tool to find out where you slipped up, or where your SSO software is failing. That is the subject of this post. You can read more on How to find the right testing tool for Okta, Auth0, and other SSO solutions on CSOonline here.