Avast blog: Just because your iPhone is powered off doesn’t mean it can’t be attacked

Did you know that even when your iPhone is turned off, some of its components are still getting power? Researchers have found this to be one of the reasons why a new attack vector can operate without your knowledge. The issue lies with the iPhone’s Low Power Mode (LPM) and the fact that while using this functionality, certain communications chips continue to operate. Apple’s LPM features were introduced as part of iOS 15 and enable things such as Find My Phone, which can continue to track and function when a phone is turned off. You can find out more about this, and how it stacks up with air-gap research and NSO’s Pegasus, in my latest blog for Avast here.

 

CSOonline: How to choose a certificate management tool

Many years ago, Madonna sang about sharing her secrets with us. While the IT version may not be as entertaining as what was discussed in that song, there are still important reasons to understand your corporate encryption secrets and how they are provisioned, managed and deployed. The tools to do this go by various monikers, including SSL/TLS certificate or key management tools, machine identity management, or PKI as a service.

These secrets are found all over the IT map, including those for servers, for applications, to encrypt your email messages, for authenticating to connect with IoT devices, to allow you to make edits to a piece of code, and for user identities to have access to a particular shared resource.

cso email security suites table

I mention the above products and some of their important features, along with other aspects  about how to manage your certs in my post for CSOonline here.

Red Cross blog: Brian Mintner Delivers Blood and Much More

Saving lives isn’t just some abstract concept for the American Red Cross. Volunteer Brian Mintner not only delivers lifesaving blood to people he’ll never meet, he is directly responsible for saving one specific life. Brian is the manufacturing transportation supervisor for the Missouri-Arkansas region of the Red Cross, coordinating the movement of blood products collected from donors and ensuring they are transported to various hospital blood banks. He oversees a vast transportation network that, he admits, “is a brutal chain of custody.”

In my blog for the Red Cross, Brian (whom I also work for as I am one of his volunteer drivers) is profiled.

Avast blog: How to make a successful transition to a hybrid work schedule

Employers should migrate to a hybrid environment only after building a solid foundation to support remote workers. As Covid-19 pandemic restrictions have eased, employers are adjusting their work-from-home policies. Some companies, including Airbnb, have doubled down and made substantial commitments to remote working. Others, like Google, have begun to shift to more in-person and hybrid office policies. This range just among the two tech giants is an example of the different possibilities being considered by other employers. According to a 2017 Gallup poll, 43% of U.S. employees worked remotely all or some of the time.

Part of the reason for this difference has to do with how all of us have adjusted to working in the face of the pandemic. I explain more in this post for Avast’s blog.

Network World: Lessons learned from the Atlassian network outage

Last month, software tools vendor Atlassian suffered a major network outage that lasted two weeks and affected more than 400 of their over 200,000 customers. It is rare that a vendor who has been hit with such a massive and public outage takes the effort to thoughtfully piece together what happened and why, and also provide a roadmap that others can learn from as well.

In a post on their blog last week, they describe their existing IT infrastructure in careful detail, point out the deficiencies in their disaster recovery program, how to fix its shortcomings to prevent future outages, and describe timelines, workflows and ways they intend to improve their processes. I wrote an op/ed for Network World that gleans the four takeaways for network and IT managers.

Avast blog: Top MFA myths busted

Today is World Password Day. Ideally, every day you should take some time to improve your password collection, and the best way to do that is to use MFA. But for all of its utility, MFA still has its resistors. If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths in my latest post for Avast and hopefully help you convince folks to get onboard.

Avast blog: The U.S. government wants to expand the use of social media for visa vetting

For the past several years, millions of foreign visitors and potential immigrants entering the US have divulged the contents of their social media accounts to the US Department of Homeland Security (DHS). This requirement is part of the Visa Lifecycle Vetting Initiative (VLVI) that began in 2014 and has been expanded in 2019.

You can read more about the evolution and dangers of this program in my post for Avast’s blog here.

Avast blog: Obama on strengthening our democracy and reforming social media

Last week, Barack Obama delivered a keynote address at an event, “Challenges to Democracy in the Digital Information Realm”, co-hosted by The Stanford Cyber Policy Center and the Obama Foundation. He discussed the role of government in online technologies, the relationship between democracy and tech companies, and the role of digital media to elevate authoritarian rulers. He touched on the point that we all now occupy entirely different media realities that are fed directly into our “personal information bubbles” of our smartphones.

You can read my post for Avast’s blog here to see what else he had to say to this audience and what he recommends we do to fix social media to make it better for democracy.

CSOonline: How to choose the best VPN for security and privacy

Enterprise choices for virtual private networks (VPNs) used to be so simple. You had to choose between two protocols and a small number of suppliers. Those days are gone. Thanks to the pandemic, we have more remote workers than ever, and they need more sophisticated protection. And as the war in Ukraine continues, more people are turning to VPNs to get around blocks imposed by Russia and other authoritarian governments,

A VPN is still useful and perhaps essential to a modern mostly remote workplace. In this post for CSO, I describe these scenarios, what security researchers have found about how VPNs leak data or have other privacy issues, and what you should look for if you intend to deploy them across your enterprise.