Avast blog: The story of a video chat flaw uncovered by a teenager

You might have missed the news about a FaceTime bug that was found about a year ago. The bug enabled anyone to start a group FaceTime call with one of your contacts, even if that person didn’t explicitly accept the call. Apple disabled group FaceTime calls for a couple of days until it was able to issue a patch in iOS 12.1.4. Since then, Google security researchers have been busy finding the same bug in other group chat apps including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.

In my blog for Avast, I go into details about this bug, how a teenaged gamer discovered it, and how it was tamed.

Network Solutions blog: how to reduce privilege escalation vulnerabilities

What Is Privilege Escalation? - YouTubeOne of the most popular attack methods in IT security starts with posing a simple question: How many places in your IT infrastructure have administrative access? Unfortunately, getting to the bottom of answering this question is anything but simple, but it can be instructive. This is because understanding administrative access is perhaps one of the most important ways to defend your business computing network.

Admin access permissions are the bane of all security managers because they can serve as the golden ticket for hackers to compromise your computers. Once they figure out this privileged access, they can worm their way into your network and create all sorts of havoc. This class of problems is usually labeled privilege escalation. Fixing this will require some careful diligence, including locking down Active Directory permissions, using zero trust methods, and application sandboxes.

You can read my blog for Network Solutions here.

What’s up with WhatsApp privacy (Avast blog)

Last month, I wrote about the evolution of Instant Messaging interoperability. Since posting that article, the users of WhatsApp have fled. The company (which has been a subsidiary of Facebook for several years now) gave its users an ultimatum: accept new business data sharing terms or delete their accounts. For some of its billion global users, this was not received well, especially since some of your data would be shared across all of Facebook’s other operations and products. The change was indicated through a pop-up message that requires users to agree to the changes before February 8. The aftermath was swift: tens of millions of users signed up for either Signal or Telegram within hours of the news.

If you are interested in getting more of the details and my thoughts about whether to stay with WhatsApp or switch to Telegram or Signal, you should take a gander over on the Avast blog and read my post.

WhatsApp pushed off the change until May, which was probably wise. There was a lot of bad information about what private data is and isn’t collected by the app and how it is shared with the Facebook mothership. For example: while the change deals with how individuals interact with businesses, Facebook has and will continue to share a lot of your contact data amongst its many properties. What this whole debacle indicates though is how little most of us that use these IM apps every day really understand about how they work and what they share. My Avast blog tracks down the particular data elements in a handy hyperlinked reference chart.

The problem is that to be useful your IM app needs to know your social graph. But some apps — such as Signal — don’t have to know much more than your friends’ phone numbers. Others — such as Facebook Messenger — want to burrow themselves into your digital life. I found this out a few years ago when I got my data dump from Facebook, and that was when I deleted the standalone smartphone app. I still use Messenger from my web browser, which is a poor compromise I know.

Speaking of downloading data, I requested my data privacy report from WhatsApp and a few days later got access. There are a lot of details about specific items, such as my last known IP address, the type of phone I use, a profile picture, and various privacy settings, This report doesn’t include any copies of your IM message content, and was designed to meet the EU GDPR requirements. I would recommend you request and download your own report.

One of the sources that I found doing the research for my blog post was from Consumer Reports that walked me through the process to make WhatsApp more private. You can see the appropriate screen here. Before today, these items were set to “everyone” rather than “my contacts” — there is a third option that turns them off completely. This screen is someplace that I never visited before, despite using WhatsApp for years. It shows you that we have to be vigilant always about our privacy — especially when Facebook is running things — and that there are no simple, single answers.

Never before have we so many choices when it comes to communicating: IM, PSTN, IP telephony and web conferencing. We have shrunk the globe and made it easier to connect pretty much with anywhere and anyone. But the cost is dear: we have made our data accessible to tech companies to use and abuse as they wish.

Network Solutions blog: why are online containers so often unsecured?

In any given week, security researchers discover caches of data on cloud servers that are completely open to the public, usually containing the most sensitive information about a company’s customers. Leaks were found earlier this summer that revealed data coming from Avon as well as from Ancestry.com. This latter leak wasn’t the first breach for Ancestry — it had an earlier 2017 leak here. The problem is simple to describe and appears — at least at first glance — simple to fix. When you initially set up your online storage, you are asked who has access and what rights are accorded to each user. However, developers have hundreds if not thousands of containers to keep track of, and sometimes they forget to lock all of them down.

In my blog for Network Solutions, I discuss how to find these unsecured containers and how to prevent these leaks from happening.

RSA blog: Paying down your technical security debt

Zulfikar Ramzan mentions in his blog post from last month, “Next year, CISOs will have to grapple with the consequences of the decisions they made (or were forced to make) in 2020. One of their first orders of business will be to ‘un-cut’ the corners they took in the spring to stand up remote work.” Nowhere is this more the case than with dealing with their technical infosec debt, a term coined by Ward Cunningham decades ago.

This is a term that has taken on a greater sense of urgency thanks to the continued pandemic. (See this cartoon for a more humorous illustration.) It is basically a fancy term for taking the easy route, for cutting corners and saving time by not really looking at the longer-term consequences of certain decisions that make your IT infrastructure inherently insecure. It reflects the implied costs of reworking the code in your program due to taking these shortcuts, shortcuts that eventually will catch up with you and have major security implications in the future.

Security trainer and consultant Tanya Janca puts it this way: “Technical debt is a decision. It is a decision to put upgrading, fixing, and improving last. Technical debt is security debt, and you need to make it a personal priority to prevent it.” By choosing the most expedient route, she says IT managers accumulate lots of debt. Examples abound, including “not patching or upgrading endpoints and servers as soon as these are available, using outdated programming and development frameworks or code sources, or being slow to react to specific changes that are needed in your home-grown apps,” she says in her latest book, Alice and Bob Learn Application Security. The focus of the book is on building more secure apps, and technical debt just gets a small mention – but the book (and an accompanying series of online classes available on her website) are an excellent resource for those new to app security.

Technical debt thrives in massive bureaucracies, where buying paper clips require five signatures, or so it seems. If your enterprise makes it difficult for your developers to get the right tools and software frameworks to do their jobs, they will take the easier (and less secure) path. Debt will accumulate if the normal software development cycle is measured in months rather than minutes. Look at the major breaches of the past few years – if the technical debt at Equifax, Uber and Target had “been better understood, then perhaps it could have been appropriately managed and brand reputation could have been maintained and financial losses avoided,” said Jane Frankland, a security executive writing in 2019.

Granted, the pandemic has forced the hand of many IT organizations that can barely keep the wheels turning, let alone have more longer-term plans to keep things as secure as possible. Which comes back to Ramzan’s post.

If you want to pay down your technical debt, here are some suggestions to get started. First, examine your collaboration between your development and security teams. The more they can share best practices, the more secure your apps will become. Second, try to avoid making lots of last-minute changes to your apps, but try to consider security before a single line of code is written. One way to be more deliberate is to have a set of test suites to root out any bugs or missteps. Look at your security issues holistically, not sequentially, as Frankland suggests. (She has lots of other suggestions on her blog too at the link above.)  Create a solid code documentation culture, which avoids making quick and dirty development decisions without considering the security implications. Finally, Cunningham himself had these words of wisdom: “Don’t let the debt build up. Everyone knows the list will never be addressed. Remove cruft as you go. Build simplicity and clarity in from the beginning.”

Janca writes in her book, “When organizations spend most of their time just trying to keep the lights on, constantly fighting fires, technical debt will most certainly result in security problems as well.”

CSOonline: Top 7 security mistakes when migrating to cloud-based apps

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend. There are good and bad ways to make this migration to the cloud and many of the pitfalls aren’t exactly new. In my analysis for CSOonline, I discuss seven different infosec mistakes when migrating to cloud apps.

 

Avast blog: The rise and fall of Parler

In the past week, we have seen the takedown of a social network by its largest technology partners. I refer to Parler, of course. The events weren’t entirely a surprise, but their velocity and totality were unusual.First, Apple and Google removed the Parler apps from the iTunes and Play stores. Then, its hosting partner, Amazon, shut down its servers on Amazon Web Services. I wrote about the issues surrounding the Parler takedown for Avast here, examining its surge in popularity and its takedown, and whether this constitutes censorship.

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.

Avast blog: Which security certification will help you grow your career?

One of the things not lacking in the information security community is the dozens of cybersecurity industry certifications that are available to burnish your qualifications. These include vendor-driven certifications from leading security companies like Cisco and Microsoft, courses that will lead towards certifications from SANS, and many others. In this post for Avast’s blog, I will guide you through this maze.

From the archives: my work for the US Congress’ Office of Technology Assessment

Seeing the attacks on our Capitol brought memories of working for Congress back in the early 1980s for this small bipartisan agency. I contributed chapters of two major research reports:

I am thankful that the Woodrow Wilson Center at Princeton has preserved these digital copies.