A July 2022 survey of 300 U.S. Department of Defense (DoD) IT contractors shows a woeful lack of information security in the majority of situations. These contractors are part of the DoD’s supply chain that, in typical government speak, is labeled the Defense Industrial Base (DIB). The report should be a warning even for those technology contractors that don’t do any DoD work, as I explain in my latest blog for Avast.
Last week, an international group of law enforcement agencies took down one of the biggest criminal operators of a spoofing-as-a-service enterprise. Called iSpoof, it collected more than $120M from victims across Europe, Australia, Ukraine, Canada, and the United States. During the 16 months of the site’s operation, the group took in more than $3.8M in fees from its victims. In my blog for Avast, I summarize what happened, why this gang was so significant, and how spoofing has gotten more advanced over the years since those early days when Paris Hilton spoofed her friend’s cellphone.
With the reinstatement of previously banned Twitter luminaries including Donald Trump and Kathy Griffin, this is a good time to do further research into the role of social media in our public discourse. The recent book by Max Fisher, The Chaos Machine: The Inside Story of How Social Media Rewired Our Minds and Our World, should be on everyone’s reading list. His book documents the rise of social networking for the past decade and shows its highly influential role in society. Fisher is a reporter for the New York Times who has covered its effects for many years.
I review his book for my blog for Avast here. I highly recommend it, even if you think you have been following along the evolution — some would say the devolution — of social media.
One solution is from Google’s Jigsaw unit, who has a couple of experimental tools freely available, such as the Tune browser extension that can be used to filter the most toxic discussions.
Network security starts with having a well-protected network. This means keeping intruders out, and continuously scanning for potential breaches, malware and flagging those attempted compromises. One of the biggest threats increasing in popularity is a very specific type of attack called distributed denial of service (DDoS) attacks. These attacks are targeted at your internet servers, including web and database servers, and are designed to flood random traffic so that the servers can’t respond to legitimate users’ queries. They are very easy to mount, and without the right tools, very hard to prevent.
This post was part of the A10Networks glossary and can be found here.
AI is a double-edged sword. It has enabled the creation of software tools that have helped to automate tasks such as prediction, information retrieval, and media synthesis, which have been used to improve various cyber defensive measures. However, AI has also been used by attackers to improve their malicious campaigns. For example, AI can be used to poison ML models and thus target their datasets and steal login credentials (think keylogging, for example). I recently spent some time at a newly created Offensive AI Research Lab run by Dr. Yisroel Mirsky. The lab is part of one of the research efforts at the Ben Gurion University in Beersheva, Israel. Mirsky is part of a team that published a report entitled “The Threat of Offensive AI to Organizations”. The Offensive AI Research Lab’s report and survey show the broad range of activities (both negative and positive) that are made possible through offensive AI.
Qualys’ annual security conference returned to a live-only event this week at the Venetian Hotel in Las Vegas, and the keynote addresses started things off on a very practical note… about selling coconuts, toasters, and carbon monoxide detectors. The first two keynotes featured speeches from both Shark Tank celebrity businessman and CEO of Cyderes, Robert Herjavec, and Qualys’ President and CEO, Sumedh Thakar. Both spoke around the similar theme of qualifying and quantifying digital cyber risks.
I am doing near-time blogging of their show, and this was the first of a series of posts.
The second post was a recap of the first day’s events, and included highlights from some of their customers and product team as they took a deeper dive into TotalCloud.
The third post profiled the special launch of the Qualys Threat Research Unit, showing some of its research and how it compiles threat intel and works with various industry bodies to share this data.
The next post highlights some of Qualys’ customers who came to the event to tell some of their stories about how their companies have benefitted from their products.
My final post recaps the second day of the conference sessions and some of the more interesting aspects of various Qualys products.
One of the fun volunteer jobs that I have is talking to American Red Cross volunteers about the wonderful work they do to help others in need. I recently wrote this post for the local chapter’s blog about the efforts of Dianne Tattitch (who works in IT for Mastercard) and what she did for those impacted by Hurricane Ian in Florida. Here she is helping with her guest’s laundry needs.
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently published a fact sheet on implementing phishing-resistant multi-factor authentication (MFA). The publication is in response to a growing number of cyberattacks that leverage poor MFA methods. “Not all forms of MFA are equally secure. Some forms are vulnerable to phishing, push bombing attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, or SIM swap attacks,” the agency writes. The strongest form of phishing protection is to employ FIDO2 or WebAuthn-based tokens as your MFA method, what CISA calls the “gold standard.”
Once again I had an opportunity to judge several collegiate entrepreneurial efforts as part of the Enactus 2022 world cup competition. I was a virtual judge at last year’s competition and wrote about my experience then. This time around I was working with four teams, each of which had rather innovative ways to make and sell cattle feed. Now, such a mundane topic you wouldn’t think much of, and you would be wrong. I didn’t get to judge the ultimate winner, a team from Egypt. But I was impressed with the Tunisian team from the Higher Institute of Computer Science of El Manar. You can see their Enactus Report document here. What was impressive about the Tunisian students was how focused they were on solving several problems with their venture. First, they wanted to eliminate the use of imported corn and soy feedstocks that were very expensive for the ultimate feed product. They wanted to make use of by-products for human food production that could be used in animal feeds, and increase the nutritional value of the feed to provide better health and muscle production. Their project generated a net income of US$25,000 with 40 farmers using the feed that was a third cheaper than the existing commercial feed, produced entirely with Tunisian sources. They have plans to expand their project to neighboring countries next year.
The 2015 murder of the 23-year ago American student Nohemi Gonzalez is about to take center stage in a case that has made its way to the US Supreme Court. The woman was one of 129 people killed in Paris by a group of ISIS terrorists. Her estate and family members sued Google, claiming that a series of YouTube videos posted by ISIS are the cause of the attack (and her death), and requests damages as part of the Anti-Terrorism Act.
At the heart of the resulting Gonzalez v. Google case lies Section 230 of the Communications Decency Act of 1996. This section has been routinely vilified by various political groups, who claim that the protections under this section against civil suits should be struck down. For my latest blog for Avast, I summarize the various issues that are facing the court and implications for online communications.
The arguments are transcribed here.