Avast blog: Beware of a new and dangerous RDP exploit

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. Given that all versions of Windows for the past 10 years – for both desktop and server – need to be patched, you should put this on your priority list, especially since this new problem can be easily exploited. In my latest post for Avast’s blog, I describe what this new challenge is about and ways that you can minimize any potential expoits.

TheVerge: Ways to securely share files in the cloud

The Verge has put together a solid collection of articles on how to deal with the not-so-new realities of working from home, They had me write a piece on how to share your work files and you can read it here. The days when we were all connected to the same shared drive or local network folder are now quaint memories. But today’s sharing files will take some careful planning, particularly if you want to do so as securely as possible.

In my article, I cover the various methods that are available, from sharing a file attached to an email or instant message to using public cloud services like Dropbox to using Google Workspace and Microsoft OneDrive. But the best solution is a group of business-related cloud services that I summarize in this chart.

Vendor Monthly pricing Max. file upload Free trial period Application integration
Egnyte $20/user 100 GB 15 days Extensive
SecureDocs $250 for unlimited users Unlimited 14 days Limited
ShareFile/Citrix $50 for unlimited users 100 GB 30 days Extensive
SugarSync $55 for 3 users 300 GB for web clients 30 days Limited

Avast blog: Introducing a business guide to tackle credential stuffing attacks

One of the biggest threats facing both large and small businesses alike goes by the moniker credential stuffing. In these attacks, the bad guys count on our reuse of passwords across two or more logins, and once they find a user name/password that works, they try to use that information to break into our other accounts. Akamai, in its latest State of the Internet report, says that it has seen over 193 billion credential stuffing attacks in 2020. These attacks can cost billions of dollars annually, when adding up the cost of remediating the problem, handling all the user calls for password resets, and changing other operations. The office of New York Attorney General Letitia James has found thousands of posts containing login credentials that had been tested in credential stuffing attacks. In order to combat credential stuffing attacks, James’ office recently released a business guide.

You can read more about ways to fight credential stuffing attacks in my latest post for Avast’s blog here.

Avast blog: Discussing NSA leaks and recent state activities with Edward Snowden

Edward Snowden and Pulitzer Prize-winning journalists Glenn Greenwald and Chris Hedges have recently come together in a video conference call moderated by Amy Goodman of Democracy Now. In the video, the group talks about the past eight years of privacy problems and other significant events. After Snowden leaked documents from the NSA and left their employment in 2013, he has been living in Moscow and since charged with violating the Espionage Act. I review the discussion in this blog post for Avast and explore his history, the state of affairs around Julian Assange’s self-imposed exile in London, and the relationship between governments and individual privacy in light of the NSA’s mass surveillance that was revealed by Snowden.

 

Avast blog: New ways to phish found by academic researchers

A years-long research effort between computer scientists at Stony Brook University and private industry researchers have found more than 1,000 new and more sophisticated phishing automation toolkits across the globe. What’s interesting about this effort is these tools can help subvert the multi-factor authentication (MFA) of just about any website using two key techniques, man-in-the-middle (MITM), and reverse web proxies. In my blog post for Avast, I talk about how the attack works, how these tools were found in the wild, and what you can do about them to keep using MFA to protect your own logins.

Avast blog: Countering disinformation requires a more coordinated approach

The US Cyberspace Solarium Commission’s latest report, entitled Countering Disinformation in the US, is the latest analysis to come from this two-year-old bipartisan Congressional think tank. The report, which was released earlier this month, takes a closer look at the way disinformation is spread across digital networks and proposes a series of policy actions to slow its spread using a layered defense.

Whether or not the US Congress will take up these recommendations is hard to say. Certainly, the current hyper-partisan split won’t make it easier. You can see the move away from bipartisan bill sponsorship as documented by the report in the graph above. You can read more in my post for Avast here.

Infoworld: What app developers need to do now to fight Log4j exploits

Earlier this month, security researchers uncovered a series of major vulnerabilities in the Log4j Java software that is used in tens of thousands of web applications. The code is widely used across consumer and enterprise systems, in everything from Minecraft, Steam, and iCloud to Fortinet and Red Hat systems. One analyst estimate millions of endpoints could be at risk.

There are at least four major vulnerabilities from Log4j exploits. What is clear is that as an application developer, you have a lot of work to do to find, fix, and prevent log4j issues in the near-term, and a few things to worry about in the longer term.

You can read my analysis and suggested strategies in Infoworld here.

Biznology: An update on women in tech

Eight years ago, I attended a conference (remember doing that in person?) and had a chance to hear from some pretty amazing speakers, many of them women. The conference, Strangeloop, was notable for their number in the tech field which so often diminishes the contributions of women and POC. I happened upon the piece that I wrote and asked the women I interviewed if they had more recent experiences that they would like to share with my readers. Sadly, while there has been some progress, it isn’t much.

You can read the story in Biznology here.

Retaining my back catalog

Taylor Swift and I have something in common: we both are having trouble retaining our back catalogs. In her case, she is busily re-recording her first six albums since the originals are now under the control of a venture-backed investment group. In essence, she is trying to devalue her earlier work and release new versions that improve upon the recordings. In my case, I am just trying to keep my original blog posts and other content available to my readers, despite the continued effort by my blog editors to remove this content. Granted, many of these posts are from several years ago, back when we lived in simpler times. And certainly a lot of what I wrote about then has been eclipsed by recent events or newer software versions, but still: a lot hasn’t. Maybe I need to add more cowbell, or sharpen up the snare drums. If only.

I realize that many of my clients want to clean up their web properties and put some shiny new content in place. But why not keep the older stuff around, at least in some dusty archive that can still receive some SEO goodness and bring some eyeballs into the site? Certainly, it can’t be the cost of storage that is getting in the way. Maybe some of you have even done content audits, to determine which pieces of content are actually delivering those eyeballs. Good for you.

Although that link recommends non-relevant content removal, which I don’t agree. I think you should preserve the historical record, so that future generations can come back and get a feel for what the pioneers who were making their mark on the internet once said and felt and had to deal with.

Some newspaper sites take this to the extreme. In July 2015, the venerable Boston Globe newspaper sent out a tweet with a typo, shown here. Typos happen, but this one was pretty odd. How one goes from “investigate” to “investifart” is perhaps a mystery we will never solve, but the Globe was a good sport about it, later tweeting, “As policy we do not delete typographical errors on Twitter, but do correct#investifarted…” Of course, #investifarted was trending before long. The lesson learned here: As long as you haven’t offended anyone, it’s ok to have a sense of humor about mistakes.

Both Tay and I are concerned about our content’s legacy, and having control over who is going to consume it. Granted, my audience skews a bit older than Tay’s –  although I do follow “her” on Twitter and take her infosec advice. At least, I follow someone with her name.

I have lost count on the number of websites that have come and gone during the decades that I have been writing about technology. It certainly is in the dozens. I am not bragging. I wish these sites were still available on something other than archive.org (which is a fine effort, but not very useful at tracking down a specific post).

I applaud Tay’s efforts at re-recording her earlier work. And I will take some time to post my unedited versions of my favorite pieces when I have the time, typos and investifarts and all.

In any event, I hope all you stay healthy and safe this holiday season.

 

 

The Verge: How to recover when your Facebook account is hacked

Hopefully the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control. Let me take you through the recovery process and provide some proactive security pointers that you should follow to prevent this awful moment from happening, or at least reduce the chances that it will.

In this post for The Verge, I explain the three different scenarios (a friend borrows your account, someone uses your photo on a new account, or you truly have been hacked) and how you can try to get your social life back. It isn’t easy, it could cost you a lot of time and a bit of money, and there are steps you should take to protect yourself now that will reduce the chances that your account will become compromised — such as removing any payment methods that you may have forgotten about, as shown above.

And if you would rather listen to my descriptions, my podcasting partner Paul Gillin interviewed me on this subject in a recent 16-minute episode.