Avast blog: Dave Piscitello working to make the internet a more secure place

Dave Piscitello of Interisle Consulting Group: 5 Things You ...I first met Dave Piscitello in the late 1990s when we served together on the Interop+Networld conference program committee, and collaborated on several consulting reports. He went on to create his own conference on internet security that ran from 1997-2000, then went on to work on security for ICANN until 2018. He serves on several international do-gooder infosec boards and is part of a consultancy called the Cybercrime Information Center that produces some very excellent reports on the state of malware, phishing, and domain name abuses. The most current report is on phishing, which shows that monthly attacks have doubled since May 2020. What makes his report powerful is that includes data from four commercial information sources, which collected more than a million unique attacks and publish their own blocklists. I wrote about his work and the state of phishing for my latest Avast blog here.

 

CNN Underscored: Best mobile payment apps reviewed

Mobile payment apps can be a convenient way to send and receive money using your smartphone or smartwatch. Paying for items this way has never been easier, thanks to the availability of numerous mobile payment apps, better payment terminal infrastructure, and wider support for Bluetooth/near-field communication (NFC) contactless credit cards by American issuers. The coronavirus pandemic has also helped to make contactless “everything” more compelling. I tested out five different mobile payment apps: Apple Pay, Google Pay, Samsung Pay, Venmo (by PayPal) and Cash App (by Block, formerly Square) recently, and wrote my review for CNN/Underscored here.

Avast blog: More developments on NSO’s Pegasus spyware

 

Last summer, I wrote about a major international investigation of the NSO Group and its Pegasus spyware. We described how it works and what you can do to protect your phone. NSO has gone through some difficult times as a result of that analysis. NSO was almost purchased by an American company that is closely linked to intelligence operations until the US Government put them, along with another Israeli spyware vendor Candiru, on a special block list that prevents both from obtaining government contracts. Candiru, you might recall, was discovered to be doing its own zero-day spying by Avast researchers.

In my post today for Avast’s blog, I review what transpired at a recent hearing held by the House Intelligence Committee. There were three witnesses who emphasized the threat of spyware to various democracies around the world, and provided lots of specifics about how Pegasus has operated.

Avast blog: How to prepare for a hacking incident

The initial phases of a breach are often the most critical: The intruder is counting on your confusion, your lack of a plan or a clear chain of authority, and any early missteps. Given that it’s only a matter of time before a breach happens, what can you do after encountering an incident to minimize the damage?

For businesses of all sizes, incident response planning infrastructures have gotten very complex, with many interconnected relationships that might not be immediately obvious — until something goes wrong. In this blog for Avast, I outline how you can prepare for an incident in a well-thought-out and organized manner.

CNN Underscored: Best cloud personal storage apps

It used to be that 1 TB of storage was a lot, but now this amount of storage is quite common to find on even the least expensive laptops. Over the years, a number of cloud-based storage vendors have begun to support the TB era and now many of them offer monthly storage plans for a reasonable price. We tested five different cloud-based storage apps—Apple iCloud+, Box, Dropbox, Google One, and Microsoft OneDrive—to see which one is the best cloud-based storage app for you. OneDrive comes out on top and it was easier to install on Macs than on some of our Windows PCs that had additional browser-based security that blocked the desktop client downloads.

You can read my full review here.

Avast blog: More Magecart attacks

Magecart, the notorious credit card stealing cybercrime syndicate, is once again in the news. It is the gift that keeps on giving – it has recently taken root in three different online restaurant ordering websites: MenuDrive, Harbortouch, and InTouchPOS. The malware was found in more than 300 restaurants that used them and exposed more than 50,000 paid orders. The malware was present in some of these systems for many months before they were discovered. Indeed, some attacks began last November and are still active.

There are more details in my post for Avast’s blog here.

How Fortnite spurred innovations in architectural technology

For someone who has been deeply steeped in technology for most of my career, I am woefully ignorant about computer games. I have written about this aspect of my life before, but today’s topic is how one game studio has had a breakout success in developing some very serious non-gaming business applications.

The company is Epic Games, most notably known for its Fortnite brand. Perhaps you have played it, or your kids have played it. Fortnite is built using the Unreal Engine, which has been around for decades and is now on its fifth version. Epic was smart with UE in getting it established as the premier 3D visualization tool, and it is used in all sorts of business applications. One of them caught my interest, when I watched this video from one of my favorite You Tube creators about the building of the Xi’an soccer stadium.  The architects of the stadium used UE to pre-visualize how the seating sight lines would work, how the roof would be constructed, and other design aspects of the stadium. It is still under construction. We are building a more modest soccer stadium here in St. Louis, so I have a bit of stadium envy here.

Anyway, Epic was smart with spinning out UE from Fortnite. First, it is free to download and get started. Yes, there are license fees if you want to do more with it, but you can figure it out and use most of its features without spending any money. Second, there is a huge dev community to support your efforts: discussion forums, loads of documentation, and professional education options too. UE is being taught in numerous colleges across the world. For example, there is this entire online curriculum. These efforts have paid off, and now there are numerous games that independent developers have built in UE.

Before I get to that, here is a short diversion into the world of film pre-viz. When I was living in LA back in the early aughts, I got to meet Dan Gregoire of Halon Entertainment. Halon is one of the pre-eminent pre-viz shops in the entertainment space, and has worked on numerous blockbuster movies. The concept is similar to what the architects are doing: if you can represent what will be shown on screen digitally, you can help a director figure out what camera and lighting and actors are going to be filmed and save a lot of time and money. I asked Dan about UE and turns out he has been using this tool for more than five years, first adopting it for his work for War for the Planet of the Apes. “It is the core foundation of our pre-viz pipeline,” he told me. “We use it for all sorts of things, including as a virtual art department, LED stage content and final pixel game cinematics.” Coincidentally, today they are part of a conference being held in Burbank featuring experts from Nvidia, UE and Microsoft.

But let’s turn back to this field of architectural technology. As architects have gotten comfortable with digital tools, things like doing pre-viz for the Xi’an stadium make a lot of sense. If you can create a digital copy of your building and experiment with various changes before you pour the first foundation footing, you can save a lot of money and build a better building too.

”In the past, architects had to put huge financial resources aside to hire experts who specialize in using visualization tools,” writes this one blog. “The Unreal Engine removes all this from the equation. It is an easy-to-use tool with medium hardware requirements and supports real-time rendering and experimental visualization.” In effect, UE has made rendering more of a commodity to designers and made pre-viz more approachable even for smaller design studios. Epic has this website that will provide all sorts of case studies and links to resources. There is the Atlantic Technological University in Dublin, which actually offers a three-year BS degree in this area. That is impressive.

It is ironic in a way. Just as our construction industry supply chains are getting choked, digital technology can help cut down on mistakes and help build better buildings. “Real-time technology is the future,” says Dan. “All it took was for the technology to be accessible from a business model perspective, and having Epic license it for free for non-game content was a big step.”

Avast blog: The importance of patching

I’ve often made recommendations about patching your systems. Patching is a simple concept to explain: Keeping all your various digital components (hardware, software, and networking infrastructure) up to date with the most recent versions. However, it can be easier said than done – this is due to the fact that our day-to-day operations have become complex systems that interconnect and intersect in ways that are hard to predict. In this blog post for Avast, I review some of the benefits of timely patching, how to get a patching program established and operational, and some notable failures about patching over the years.

SC Magazine: The coming passkey revolution

The war on passwords has entered a new and more hopeful era: their final battle for existence. The challenger is the passkey. Let’s talk about why this is happening now, what exactly the passkey is, and how the victory might just finally be in sight. The goal is a worthy one — according to Verizon DBIR 2022 report, 80% of data breaches still begin with a phishing or Man-in-the-Middle attack, using hijacked account credentials to take over an account. Spoiler alert: passkeys can help big-time in this fight.

Passkeys use a set of cryptographic keys – meaning a long string of digits – in a way that you, the user, doesn’t have to remember or type anything additional. They have been adopted by the major endpoint vendors (Google, Apple and Microsoft), and in my post for SC Magazine I describe how they work.

 

Avast blog: Explaining malicious PDF attachments

The next time someone sends you an email with a PDF attachment, take a moment before clicking to open it. While most PDF files are benign, hackers have recently been using PDFs in new and very lethal ways. Malicious PDFs are nothing new. In my post for Avast’s blog here, I explain their history and how two news items have shown that they are still an active threat vector and being exploited in new and interesting ways, such as this invoice which has different amount due items depending on the particular reader used to view the file.