CSOonline: Top 7 security mistakes when migrating to cloud-based apps

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend. There are good and bad ways to make this migration to the cloud and many of the pitfalls aren’t exactly new. In my analysis for CSOonline, I discuss seven different infosec mistakes when migrating to cloud apps.


Avast blog: The rise and fall of Parler

In the past week, we have seen the takedown of a social network by its largest technology partners. I refer to Parler, of course. The events weren’t entirely a surprise, but their velocity and totality were unusual.First, Apple and Google removed the Parler apps from the iTunes and Play stores. Then, its hosting partner, Amazon, shut down its servers on Amazon Web Services. I wrote about the issues surrounding the Parler takedown for Avast here, examining its surge in popularity and its takedown, and whether this constitutes censorship.

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.

Avast blog: Which security certification will help you grow your career?

One of the things not lacking in the information security community is the dozens of cybersecurity industry certifications that are available to burnish your qualifications. These include vendor-driven certifications from leading security companies like Cisco and Microsoft, courses that will lead towards certifications from SANS, and many others. In this post for Avast’s blog, I will guide you through this maze.

From the archives: my work for the US Congress’ Office of Technology Assessment

Seeing the attacks on our Capitol brought memories of working for Congress back in the early 1980s for this small bipartisan agency. I contributed chapters of two major research reports:

I am thankful that the Woodrow Wilson Center at Princeton has preserved these digital copies.

RSA blog: Paying Down your Technical Security Debt

As we begin 2021, one of the first orders of business is to remove some of the quick decisions we made during the beginnings of the pandemic last year. Nowhere is this more the case than with dealing with their technical infosec debt, a term coined by Ward Cunningham decades ago.  It is basically a fancy term for taking the easy route, for cutting corners and saving time by not really looking at the longer-term consequences of certain decisions that could make your IT infrastructure inherently insecure. It reflects the implied costs of reworking the code in your program due to taking these shortcuts, shortcuts that eventually will catch up with you and have major security implications in the future.

You can read the latest in my blog for RSA here.

Avast blog: It’s time to consider getting a Covid-19 vaccine passport for travel

As the number of people getting vaccinated against Covid-19 rises, it’s time to review the ways that people can prove they have been inoculated when they want to cross international borders. These so-called “vaccine passports” have been in development over the past year and are starting to go through various trials and beta tests. The passports would be used by travelers to supplement their actual national passport and other border-crossing documents as they clear customs and immigration barriers. The goal would be to have your vaccination documented in a way that it could be accepted and understood across different languages and national procedures.

In my blog for Avast, I talk about how these passports (such as the CommonPass open source one being developed above)  could prove to be a solution for travelers crossing borders, but they also come with their own set of challenges


Kaspersky blog: Despite all the cool tools, tech collaboration is still missing something

Since the pandemic began, organizations have been working hard on how they collaborate. But something’s still missing, and it’s to do with people. Looking at successful tech and creative collaborations of the past, common trends emerge. Any organization can use these to kickstart better collaboration within and between their teams. I highlight a few of these classic great situations, including the effort to produce new Covid vaccines, how the Unabomber was found by the FBI, the Bletchley Park code-breakers, and others for my latest blog post for Kaspersky. 

Who benefits most from Facebook: the right or the left?

What I will take away from 2020 — apart from the worldwide pandemic and my own health issues that had nothing to do with it — is how Facebook solidified its position and the primary incubator for hate groups. And despite repeated attempts to try to prove otherwise, it continues to fan the flames of hate from both sides of the political spectrum. Instead of helping free speech, it is poisoning the world with its memes and encouraging like-minded people to join in its toxic spew.
This piece by Adrienne LaFrance in the Atlantic goes further, saying that Facebook has become the embodiment of the “doomsday machine,” first made popular during the Cold War and the central plot device of Dr. Strangelove, a movie we should rewatch in this new context. “Facebook does not exist to seek truth and report it, or to improve civic health, or to hold the powerful to account,” she says. “It has the power to flip a switch and change what billions of people see online. No single machine should be able to control so many people.”
Does Facebook cater more towards the left or right of the political spectrum? Earlier this month, we were treated (if you’ll forgive me) to both Zuck and Jack Dorsey being grilled by the Senate Intelligence Committee. (Here is the coverage by the NY Times.) Half of the questions asked by the Republican Senators were about censoring conservative voices and what political parties were supported by their staffs. “Facebook and Twitter have maintained that political affiliation has no bearing on how they enforce their content moderation rules,” said the Times. I would agree: they support hate from both sides of the political spectrum.
If you examine Kevin Roose’s Top 10 list of Facebook posts on Twitter, you can see if you go back to before the election that these lists were dominated almost completely by right-wing groups. More recently it has been more evenly split right/left, but still there are days where only a couple of the top 10 are from moderate or lefty outlets. This article from October documents how Facebook routinely sets rules for content moderation, then breaks them in favor of posting right-wing viewpoints. This has resulted in an outsized reach and engagement, which eclipse more centrist or left-leaning POVs.
Going back to the summer of 2019 when there was that White House right-wing blogger summit, we saw a marked spike in their support as documented by the Washington Post.
But this issue is getting to be old news. Just this past week, Facebook put up this web page, accompanied with full-page newspaper ads claiming that they are on the side of small businesses. They are going after Apple’s attempt to eliminate tracking cookies and make your mobile activities more private. Apple has proposed a pop-up warning when it detects a cross-site cookie, with this mockup. One analysis of the conflict says this illustrates Apple and Facebook’s different approaches to privacy and whether endusers or advertisers will foot the ultimate bill. Regardless, the irony and shameless factor from both companies is too much.
I usually come to this point in my posts where I offer some suggestions. Sadly, while our Congress continues to ask the wrong questions, there are no easy ways out of this. And even though we have destroyed many of our nuclear warheads, with the billions of us fueling social media’s every moment, there are far too many silos that are distributed across the planet, ready to launch their hateful rhetoric at the push of a button.

Avast blog: The dangers of Adrozek adware

Microsoft has found that various browsers are being targeted with ad-injection malware called Adrozek. At the attack’s peak in August, the malware was observed on more than 30,000 devices every day, according to the researchers. The adware, as it is called, substitutes phony search results that when clicked will infect your computer.

You can read my analysis of the malware and what you can to prevent it in my latest blog post for Avast here.