Medium One-Zero: How to Totally Secure Your Smartphone

The more we use our smartphones, the more we open ourselves up to the possibility that the data stored on them will be hacked. The bad guys are getting better and better at finding ways into our phones through a combination of subtle malware and exploits. I review some of the more recent news stories about cell phone security, which should be enough to worry even the least paranoid among us. Then I describe the loss of privacy and the how hackers can gain access to our accounts through these exploits. Finally, I provide a few practical suggestions on how you can be more vigilant and increase your infosec posture. You can read the article on Medium’s OneZero site.

RSA blog: Why you need a chief trust officer

Lately it seems like trust is in short supply with tech-oriented businesses. It certainly doesn’t help that there have been a recent series of major breaches among security tech vendors. And the discussions about various social networks accepting political advertising haven’t exactly helped matters either. We could be witnessing a crisis of confidence in our industry, and CISOs may be forced to join the front lines of this fight.

One way to get ahead of the issue might be to anoint a Chief Trust Officer. The genesis of the title is to recognize that the role of the CISO is evolving. Corporations need a manager focused less on talking about technical threats and more about engendering trust in the business’ systems. The CTrO, as it is abbreviated, should assure stakeholders that they have the right set of tools and systems in place.

This isn’t exactly a new idea: Tom Patterson (seen here) and Bob West were appointed in that position at Unisys and CipherCloud respectively more than five years ago, and Bill Burns had held his position at Informatica for more than three years. Burns was originally their CISO and given the job to increase transparency and improve overall security and communications. Still, the title hasn’t exactly caught on: contemporary searches on job boards such as Glassdoor and Indeed find few open positions advertised. Perhaps finding a CTrO is more of an internal promotion than hiring from outside the organization. It is interesting that all the instances cited above are from the tech universe. Does that say we in IT are quicker to recognize the problem, or just that we have given it lip service?

Tom Patterson echoes a phrase that was often used by Ronald Reagan: “trust but verify.” It is a good maxim for any CTrO to keep in mind.

I spoke to Drummond Reed, who has been for three years now an actual CTrO for the security startup Evernym. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three titles is “to build and support trust. For a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”

Speaking to my comment about paying lip service, Reed makes an important point: the title can’t be just an empty promise, but needs to carry some actual authority, and must be at a level that can rise above just another technology manager. The CTrO needs to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust,” advises Reed.

Trust is something that RSA’s President Rohit Ghai speaks about often. Corporations should “enable trust; not eradicate threats. Enable digital wellness; not eradicate digital illness.” I think this is also a good thing for CTrO’s to keep in mind as they go about their daily work lives. Ghai talks about trust as the inverse of risk: “we can enhance trust by delivering value and reducing risk,” and by that he means not just managing new digital risks, but all kinds of risks.

In addition to hiring a CTrO, perhaps it is time we also focus more on enabling and promoting trust. For that I have a suggestion: let’s start treating digital trust as a non-renewable resource. Just like the energy conservationists promote moving to more renewable energy sources, we have to do the same with promoting better trust-maintaining technologies. These include better authentication, better red team defensive strategies, and better network governance. You have seen me write about these topics in other columns over the past couple of years, but perhaps they are more compelling in this context.

RSA blog: Giving thanks and some thoughts on 2020

Thanksgiving is nearly upon us. And as we think about giving thanks, I remember when 11 years ago I put together a speech that somewhat tongue-in-cheek gave thanks to Bill Gates (and by extension) Microsoft for creating the entire IT support industry. This was around the time that he retired from corporate life at Microsoft.

My speech took the tack that if it wasn’t for leaky Windows OS’s and its APIs, many of us would be out of a job because everything would just work better. Well, obviously there are many vendors who share some of the blame besides Microsoft. And truthfully Windows gets more than its share of attention because it is found on so many desktops and running so many servers of our collective infrastructure.

Let’s extend things into the present and talk about what we in the modern-day IT world have to give thanks for. Certainly, things have evolved in the past decade, and mostly for the better: endpoints have a lot better protection and are a lot less leaky than your average OS of yesteryear.

You can read my latest blog post for RSA here abiout what else we have to be thankful for.

HPE blog: CISO faces breach on first day on the job

Most IT managers are familiar with the notion of a zero-day exploit or finding a new piece of malware or threat. But what is worse is not knowing when your company has been hacked for several months. That was the situation facing Jaya Baloo when she left her job as the chief information security officer (CISO) for Dutch mobile operator KPN and moved to Prague-based Avast. She literally walked into her first day on the job having to deal with a breach that had been active months earlier.

She has learned many things from her years as a security manager, including how to place people above systems, not to depend on prayer as a strategy has learned many things from her years as a security manager, including how to place people above systems and create a solid infrastructure plan, ignore compliance porn and the best ways to fight the bad guys. You can read my interview with her on HPE’s Enterprise.Nxt blog here.

Red Hat Developer website editorial support

For the past several months, I have been working with the editorial team that manages the Red Hat Developers website. My role is to work with the product managers, the open source experts and the editors to rewrite product descriptions and place the dozens of Red Hat products into a more modern and developer-friendly and appropriate context. It has been fun to collaborate with a very smart and dedicated group. This work has been unbylined, but you can get an example of what I have done with this page on ODO and another page on Code Ready Containers.

Here is an example of a bylined article I wrote about container security for their blog.

An update on Facebook, disinformation and political censorship

Facebook CEO Mark Zuckerberg speaks at Georgetown University, Thursday, Oct. 17, 2019, in Washington. (AP Photo/Nick Wass)

Merriam-Webster defines sanctimonious as “hypocritically pious or devout.” Last week Mark Zuckerberg gave a speech at Georgetown University about Internet political advertising, the role of private tech companies with regard to regulating free speech, and other topics. I found it quite fitting of this definition. There has been a lot of coverage elsewhere, so let me just hit the highlights. I would urge you all to watch his talk all the way through and draw your own conclusions.

Let’s first talk about censoring political ads. Many of you have heard that CNN removed a Trump ad last week: that was pretty unusual and doesn’t happen very often in TVland. Most TV stations are required by the FCC to run any political ad, as long as they carry who paid for the spot. Zuck spoke about how they want to run all political ads and keep them around so we can examine the archive later. But this doesn’t mean that they allow every political ad to run. Facebook has their corporate equivalent of the TV stations’ “standards and practices” departments, and will pull ads that use profanity, or include non-working buttons, or other such UI fails. Well, not quite so tidy, it appears.

One media site took them up on their policy. According to research done by BuzzFeed, Facebook has removed more than 160 political ads posted in the first two weeks in October. More than 100 ads from Biden were removed, and 21 ads from Trump. BuzzFeed found that Facebook applied its ad removal policies unequally. Clearly, they have some room to improve here, and at least be consistent in their “standards.”

One problem is that unlike online ads, TV political ads are passive: you sit and watch them. Another is that online ads can be powerful demotivators and convince folks not to vote, which is what happened in the 2016 elections. One similarity though is the amount of money that advertisers spend. According to Politico, Facebook has already pocketed more than $50 million from 2020 candidates running ads on its platform. While for a company that rakes in billions in overall ads, this is a small number. But it still is important.

One final note about political ads. Facebook posted a story this week that showed new efforts at disinformation campaigns by Iran and Russian-state-sponsored groups. It announced new changes to its policy, to try to prevent foreign-led efforts to manipulate public debate in another country. Whether they will be successful remains to be seen. Part of the problem is how you define state-sponsored groups. For example, which is state-sponsored? Al Jazeera, France 24, RT, NPR and others all take government funding. Facebook will start labeling these outlets’ pages and provide information on whether their content is partially under government controls.

Much was said about the first amendment and freedom of speech. I heard many comments about Zuck’s talk that at least delineated this amendment only applies to the government’s regulation of speech, not by private companies. Another issue was mentioned by The Verge: “Zuckerberg presents Facebook’s platform as a neutral conduit for the dissemination of speech. But it’s not. We know that historically it has tended to favor the angry and the outrageous over the level-headed and inspiring.” Politico said that “On Facebook, the answer to harmful speech shouldn’t be more speech, as Zuckerberg’s formulation suggests; it should be to unplug the microphone and stop broadcasting it.” It had a detailed play-by-play analysis of some of the points he made during his talk that are well worth reading.

“Disinformation makes struggles for justice harder,” said Slate’s April Glaser, who has been following the company’s numerous content and speech moderation missteps. “It often strands leaders of marginalized groups in the trap of constantly having to correct the record about details that have little to do with the issues they actually are trying to address.” Her post linked to several situations where Facebook posts harmed specific people, such as Rohingya Muslims in Myanmar.

After his speech, a group of 40 civil rights organizations called upon Facebook to “protect civil rights as a fundamental obligation as serious as any other goal of the company.” They claim that the company is reckless when it comes to its civil rights record and posted their letter here, which cites a number of other historical abuses, along with their recommended solutions.

Finally, Zuck spoke about how effective they have been at eliminating fake accounts, which number in the billions and pointed to this report earlier this year. Too bad the report is very misleading. For example, “priority is given to detecting users and accounts that seek to cause harm”- but only financial harm is mentioned.” This is from Megan Squire, who is a professor of Computer Science at Elon University. She studies online radicalization and various other technical aspects. “I would like to see numbers on how they deal with fake accounts used to amplify non-financial propaganda, such as hate speech and extremist content in Pages and Groups, both of which are rife with harmful content and non-authentic users. Facebook has gutted the ability for researchers to systematically study the platform via its own API.” Squire would like to see ways that outside researchers “could find and report additional campaigns, similarly to how security researchers find zero days, but Facebook is not interested in this approach.”

Zuck has a long history of apologia tours. Tomorrow he testifies before Congress yet again, this time with respect to housing and lending discrimination. Perhaps he will be a little more genuine this time around.

HPE blog: Top 10 great security-related TED talks

I love watching TED Talks. The conference, which covers technology, entertainment, and design, was founded by Ricky Wurman in 1984 and has spawned a cottage industry featuring some of the greatest speakers in the world. I attended a TED Talk when it was still an annual event. I was also fortunate to meet Wurman when he was producing his Access city guides, an interesting mix of travelogue and design.

This is an idiosyncratic guide to my favorites TED Talks around cybersecurity and general IT operations, plus some of the lessons I’ve learned. Security TED Talks look at the past, but the lessons are often still relevant today.  (Shown here is Lorrie Faith Cranor, who gave a great talk on passwords.) Moreover, what might seem like a new problem has often been around for years.If you get a chance to attend a local event, do it. You will meet interesting people both on and off the stage.

RSA blog: Are you really cyber aware?

It is once again October, and cybersecurity awareness month,. Last year I wrote a blog post for RSA that mentioned four different areas of focus:

  • More comprehensive adoption of multi-factor authentication (MFA) tools and methods
  • Ensuring better backups to thwart ransomware and other attacks
  • Paying more attention to cloud data server configuration
  • Doing continuous security awareness training

For this year’s post, I re-examine each of these areas, chart progress and trends, and offer a few new suggestions. Attackers have gotten more determined and targeted and software supply chains have become more porous and insecure. What is clear is that security awareness remains a constant battle. Standing still is admitting defeat. Chances are you aren’t as aware as you think you should be, and hopefully I have given you a few ideas to improve.

CSOonline: 5 trends shaking up multi-factor authentication

Analysts predict that the multi-factor authentication (MFA) market will continue to grow, fed by the demand for more secure digital payments and rising threats, phishing attacks and massive breaches of large collections of passwords. This growth is also motivating MFA vendors to add new factor methods (such as some of the newer hardware tokens shown here) and make their products easier to integrate with custom corporate and public SaaS applications. That is the good news.

The bad news is twofold, and you can read my latest update for CSOonline on MFA trends here to find out more about how this market has evolved.

CSOonline: The top 5 email encryption tools: More capable, better integrated

I have updated my review of top email encryption tools for CSOonline/Network World this week. Most of the vendors have broadened the scope of their products to include anti-phishing, anti-spam and DLP. I last looked at these tools a few years ago, and have seen them evolve:

  • HPE/Voltage SecureMail is now part of Micro Focus, part of an acquisition of other HPE software products
  • Virtru Pro has extended its product with new features and integrations
  • Inky no longer focuses on an endpoint encryption client and has instead moved into anti-phishing
  • Zix Gateway rebranded and widened its offerings
  • Symantec Email Security.cloud has added integrations

In my post today, I talk about recent trends in encryption and more details about each of these five products.