Security researchers have uncovered a new series of threats that are targeting uninterrupted power supply (UPS) units. These threats can result in malware attacking the computers connected to the same networks through a variety of clever mechanisms.
The three threats affect most of the Smart UPS line of APC backup power supplies that are widely used by larger enterprise customers. I write about this for Avast’s blog here.
Not every organization that needs a security operations center can afford to equip and staff one. If you don’t currently have your own SOC, you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation.
Since I first wrote this piece back in 2019, the SOC-as-a-service (SOCaaS) industry has matured to the point now where the term is falling into disfavor as managed services vendors have become more integral to the practice. As cloud-based security tools have gotten better, data centers and applications have migrated there as well. Some of the services I discuss in this updated article fo CSOonline call themselves SOCaaS, while others use other managed services designations. I cover what they offer and how to pick the right supplier for your particular needs.
And to help you evaluate your own SOCaaS providers, I wrote this 2019 article that outlines what you should have in your RFPs.
A marketing firm asked 1,250 small business owners (with fewer than 500 employees) about their cybersecurity practice, and the results are pretty staggering. They largely show that most aren’t doing much to prepare for potential attacks, and for those that have done some work, it often falls far short.
Nearly half of the business owners surveyed don’t have any defensive measures in place, and a third have no protection whatsoever against cyberattacks. And less than a third have implemented regular data backups or made use of secured networks, two of the reasons why ransomware continues to be effective. You can read my analysis in Avast’s blog here.
Most everyone is familiar with American Red Cross blood drives. But collecting the blood is just one part of the operation. After processing, the right blood products must be delivered to the right hospitals at the right time, and that requires a lot of logistics. To get the job done, the Red Cross depends on volunteers to transport these donations. One of the most reliable and enthusiastic volunteers is Dave Hearst, who began volunteering in May of 2018 after hearing about the need for drivers while making his own regular blood donation. I interviewed him for a profile for the Red Cross here.
Like Hearst, I also volunteer as a blood driver for our local chapter. It is very rewarding work. We save the chapter more than $1M in transportation expenses annually.
A man-in-the-middle (MITM) attack consists of a victim, a website the victim would like contact with (such as a bank), and the attacker. The attacker inserts themselves between the victim and the targeted website with the intention to steal personal information such as login credentials, or bank account and credit card numbers. MITMs have consistently been an active development strategy for hackers.
I wrote about this for Avast’s blog here. One way to prevent this exploit is to use a secure browser (such as one from Avast or Brave).
CNN had me review a bunch of VPN services for their Underscored site. I looked at 11 different products. I don’t have to tell you why you should use a VPN. But no product can 100% handle the trade-off among three parameters: anonymity, or the ability to move online without anyone knowing who you are; privacy, or the ability to keep your own data to yourself; and security, or to prevent your computers and phones and other gear from being compromised by a criminal. You can’t do all three completely well unless you go back to pen and paper and the Pony Express. Using a VPN will help with all three aspects, and some are better than others at balancing all three.
My two favorites were Mullvad.net and IVPN.net. Both use a novel idea to ensure that they don’t know anything about you — when you download their software, you are assigned a random string of characters that you use to identify yourself. No email necessary. If you don’t want to use your credit card, you can pay via alt-coins too. Consider this a “single-factor” authentication. That means no password is required once you have entered your code, it is unlikely that anyone can guess this code or find it on the dark web (unless you reuse it, which you shouldn’t), and there is little chance anyone could connect it back to you even if they did manage to get a hold of the code in a breach.
Both vendors don’t have the largest server networks (that title is shared by Hotspot Shield, Private Internet Access, ExpressVPN and CyberGhost). But each of these are owned by corporate entities that play fast and loose with your private data (Aura and Kape Technologies). If you want to spend more time understanding the privacy issues, check out Yael Grauer’s excellent analysis for Consumer Reports Digital Lab here.
Not on my recommended list is the VPN that I have been using for the past several years — ProtonVPN (shown above). I am of two minds here. On the plus side, I have a fond spot in my nerd heart for Proton, the Swiss company that was an early proponent of encrypted email. But the VPN product is slower, more expensive, harder to use and more of an “OG” VPN that requires emails and credit cards to subscribe. Yael’s report also mentions some privacy difficulties with the service, as well as those well-advertised services mentioned above that have leaked data or aren’t as transparent as they claim to be.
If you leave home, you need to run some kind of VPN. Period.
Understanding and quantifying information security risks lies at the heart of many security issues. If you can’t quantify risks, you can’t address how to protect your data assets, corporate secrets, and employees’ and customers’ privacy and information. Managing these risks and improving security is everyone’s responsibility, not just the province of the IT department. Businesses are moving in this direction in part because of the Covid pandemic, and also because more companies are becoming dependent on digital technologies, thus increasing their potential attack surface. More sophisticated attack methods make the world of security risk management more complex and important to understand.
In this post for Linode, I describe what is Information Security Risk Management, why it matters for businesses, how to develop an appropriate plan (such as the above suggestions from a recent Dragos report above) and get management buy-in, and why you should periodic risk assessments.
Misty Sutton never set out to work at the American Red Cross, but she quickly fell in love with both the mission and the overall organization. “I love that the Red Cross is neutral and provides universal assistance, no matter what the client’s circumstances might be,” she said.
Since connecting with the Red Cross two years ago, she has filled a variety of positions, first as a volunteer, and since August 2021 as a full-time disaster program specialist for the Missouri-Arkansas Region. Her most memorable deployment was the massive River Valley floods of 2019, which hit soon after she began volunteering. You can read my interview with her here.
If you run a WordPress website, you need to get serious about keeping it as secure as possible. WordPress continues to be a widespread target for hackers. There have been numerous breaches over the years and WordPress has become more popular with both its customers and hackers. I have been using it as my main blogging platform for more than a decade, and secure it with free versions of Wordfence and MiniOrange MFA tools. In my updated post that I originally wrote for CSOonline several years ago, I examine what has changed and why you need to be deliberate and serious about securing your blog.
Have you ever heard of the following companies: Nordstar, S7, Angara, Amur or Barkol? Probably not. All of them are just some of the names of dozens of airlines operating in Russia. Right now, Russian airlines have a problem and they are about to make international insurance lawyers very busy for the next decade to solve it. The problem stems from the way that all modern airlines operate their fleets. Since the airspace restrictions and sanctions were imposed earlier this year, all Russian airlines can only fly domestically. Given that Russia has more than 500 daily domestic flights, you would think that would still be a viable market for them, but you would be wrong.
I am writing about the Russian plane problem because it is something that I can get my head around in this horrific war with Ukraine. My heart breaks as I try to follow the latest news and see the misery of millions fearing for their lives and fleeing to other parts of Europe that I never thought I would cast in a kind light. But I have to remember not to confuse the people of a country with its leaders, too.
There are several problems with the planes.
First, there are more than 900 aircraft that are registered in Bermuda. Think of this as a “flag of convenience” as many ships are registered in Panama, but there is a separate complication. Bermuda has a very robust registration entity and favorable tax and treaty laws, so the Russian airlines have taken advantage of this and have registered more than 500 planes there. Last week, Bermuda pulled these registrations, fearing quite rightly that the planes will be held hostage as the war continues. The second problem is that the major aircraft manufacturers (Boeing and Airbus) have pulled their people and stopped parts shipments (so no one can maintain the planes). A third plane maker, Antonov, is based in Kyiv and its factory was recently bombed by the Russians. Planes require regular maintenance, but more importantly, they require people to log these repairs so insurers can be satisfied that the planes are safe and properly cared for.
The third issue is that many of the Russian planes are financed by leasing companies, which happen to be based in Ireland. Again, favorable taxes and treaties. The leasing companies tried to repo a few of the planes that were sitting outside of Russia when the sanctions went into effect, and managed to take control over a few (and lose a couple too). Now that is a high-stress job, being a plane repo dude.
The total value of the planes stuck in Russia was somewhere around $10B, including some brand new planes that were just delivered before the start of the war. The reason I say was is because their value will plummet even if they sit on the Russian tarmac: think of having your car sit in your garage for many months. Stuff just starts to deteriorate. So Russia is trying to do an end run around the Bermuda registration by passing a law that says they can re-register their planes in Russia, no harm no foul. Except registering a plane is a lot like registering a car: there is only one country allowed, and to change the registration involves some paperwork and agreements that aren’t just signing the plane over. For example, a lease becomes void when the registration changes. The international aviation industry has these rules, otherwise there would be chaos. Which there now is.
And the planes are just the beginning of other issues for Russia. This piece in CSOonline describes how Russia is disconnecting itself from the rest of the global internet by requiring use of its own digital certificates and DNS resolvers. We are witnessing the unbanking and disconnecting of Russia from the rest of the global economy. There is certainly more turbulence and misery ahead.