Avast blog: It’s time to consider getting a Covid-19 vaccine passport for travel

As the number of people getting vaccinated against Covid-19 rises, it’s time to review the ways that people can prove they have been inoculated when they want to cross international borders. These so-called “vaccine passports” have been in development over the past year and are starting to go through various trials and beta tests. The passports would be used by travelers to supplement their actual national passport and other border-crossing documents as they clear customs and immigration barriers. The goal would be to have your vaccination documented in a way that it could be accepted and understood across different languages and national procedures.

In my blog for Avast, I talk about how these passports (such as the CommonPass open source one being developed above)  could prove to be a solution for travelers crossing borders, but they also come with their own set of challenges

 

Kaspersky blog: Despite all the cool tools, tech collaboration is still missing something

Since the pandemic began, organizations have been working hard on how they collaborate. But something’s still missing, and it’s to do with people. Looking at successful tech and creative collaborations of the past, common trends emerge. Any organization can use these to kickstart better collaboration within and between their teams. I highlight a few of these classic great situations, including the effort to produce new Covid vaccines, how the Unabomber was found by the FBI, the Bletchley Park code-breakers, and others for my latest blog post for Kaspersky. 

Who benefits most from Facebook: the right or the left?

What I will take away from 2020 — apart from the worldwide pandemic and my own health issues that had nothing to do with it — is how Facebook solidified its position and the primary incubator for hate groups. And despite repeated attempts to try to prove otherwise, it continues to fan the flames of hate from both sides of the political spectrum. Instead of helping free speech, it is poisoning the world with its memes and encouraging like-minded people to join in its toxic spew.
This piece by Adrienne LaFrance in the Atlantic goes further, saying that Facebook has become the embodiment of the “doomsday machine,” first made popular during the Cold War and the central plot device of Dr. Strangelove, a movie we should rewatch in this new context. “Facebook does not exist to seek truth and report it, or to improve civic health, or to hold the powerful to account,” she says. “It has the power to flip a switch and change what billions of people see online. No single machine should be able to control so many people.”
Does Facebook cater more towards the left or right of the political spectrum? Earlier this month, we were treated (if you’ll forgive me) to both Zuck and Jack Dorsey being grilled by the Senate Intelligence Committee. (Here is the coverage by the NY Times.) Half of the questions asked by the Republican Senators were about censoring conservative voices and what political parties were supported by their staffs. “Facebook and Twitter have maintained that political affiliation has no bearing on how they enforce their content moderation rules,” said the Times. I would agree: they support hate from both sides of the political spectrum.
If you examine Kevin Roose’s Top 10 list of Facebook posts on Twitter, you can see if you go back to before the election that these lists were dominated almost completely by right-wing groups. More recently it has been more evenly split right/left, but still there are days where only a couple of the top 10 are from moderate or lefty outlets. This article from October documents how Facebook routinely sets rules for content moderation, then breaks them in favor of posting right-wing viewpoints. This has resulted in an outsized reach and engagement, which eclipse more centrist or left-leaning POVs.
Going back to the summer of 2019 when there was that White House right-wing blogger summit, we saw a marked spike in their support as documented by the Washington Post.
But this issue is getting to be old news. Just this past week, Facebook put up this web page, accompanied with full-page newspaper ads claiming that they are on the side of small businesses. They are going after Apple’s attempt to eliminate tracking cookies and make your mobile activities more private. Apple has proposed a pop-up warning when it detects a cross-site cookie, with this mockup. One analysis of the conflict says this illustrates Apple and Facebook’s different approaches to privacy and whether endusers or advertisers will foot the ultimate bill. Regardless, the irony and shameless factor from both companies is too much.
I usually come to this point in my posts where I offer some suggestions. Sadly, while our Congress continues to ask the wrong questions, there are no easy ways out of this. And even though we have destroyed many of our nuclear warheads, with the billions of us fueling social media’s every moment, there are far too many silos that are distributed across the planet, ready to launch their hateful rhetoric at the push of a button.

Avast blog: The dangers of Adrozek adware

Microsoft has found that various browsers are being targeted with ad-injection malware called Adrozek. At the attack’s peak in August, the malware was observed on more than 30,000 devices every day, according to the researchers. The adware, as it is called, substitutes phony search results that when clicked will infect your computer.

You can read my analysis of the malware and what you can to prevent it in my latest blog post for Avast here.

Network Solutions blog: The Best IT Certifications to Maximize Your Personal ROI

As teaching methods advance and especially during the pandemic, online learning is starting to approach a physical classroom experience, and it’s great for conceptual learning. A good online learning experience should include not only content, but should also feature practice drills, integrate with real-world case studies, and contain a social component to make learning more effective. I cover some of the things to look for in selecting the right professional IT certifications to increase your potential value to your company.

You can read my blog for Network Solutions here for more about this topic.

RSA blog: Securing chaos: How Security Chaos Engineering tools can improve design and response

A large portion of security professionals think that their job is to prevent bad actors from gaining access to trusted resources. Yes, in isolation that is a true statement. But the implications of that position hide what is really supposed to happen. Instead, it is the job of infosec pros to ensure only appropriate actors can access trusted resources. One way this is accomplished is through what is called Security Chaos Engineering, which tests security resilience before some attack happens. It is an evolution of the pioneering work that was first done at Netflix many years ago. Now there are a number of similar products and related practitioners in this field.

The concept is simple to explain, but exceedingly hard to implement. One reason why this type of engineering mindset is needed has to do with the way that breaches are understood by corporate workers. Too often we don’t think about our IT infrastructure holistically, and when a breach happens we try to just plug the hole and move on. How many post-breach memos have you read where the author says, “we are taking steps to ensure this never happens again?” Technically that is the right approach: the next breach will happen somewhere else in our network, caused by some other “hole.” Another reason is that the average software stack has gotten so complex and distributed that it’s hard to comprehend and defend. It isn’t a matter of if you will have a breach, but when and how and what part of your systems will be compromised.

Adopting chaos engineering means that you look for potential points of failure across all of your IT systems. Part of this should be inherent in any lifecycle governance of your systems. But part is also being clever about how you test your systems. If you think you have this covered with penetration testing, you need to think again. The usual pen test engagement is a single moment in time when a SWAT team inhabits a conference room (perhaps now they do this virtually) and tries their mettle against your security defenses. Chaos engineering is a continuous practice, whereby your team is continuously testing your systems and software. Sadly, the old methods don’t work anymore. For example, just because you bought a firewall several years ago and have spent time defining a rule set doesn’t mean these rules are relevant or effective today. Your systems might be completely different and no longer protected. And these days, with rising cases of ransomware and data exfiltration, you want to catch these attacks before they do real damage.

Netflix was one of the first places to make overall chaos engineering popular several years ago with a tool they called Chaos Monkey. It was designed to test the company’s Amazon Web Services infrastructure by constantly – and randomly – shutting down various production servers. This always-on feature is important, because no single event will do enough damage or provide enough insight to harden your systems or find the weakest points in your infrastructure. Now that we live in the era of complex security events that leverage multiple malware techniques which are part of a coordinated campaign, we need to design and test for more sophisticated and longer-lasting attacks. We need better tools and that is where Security Chaos Engineering can help. In addition to the open source tools that came from Netflix, there are commercial products such as Verodin/Mandian’s Security Validation, SafeBreach’s Breach and Attack Simulation, and AttackIQ’s Security Optimization Platform, just to name a few of them.

Customers who have used these tools suggest the following best practices:

  • Have an action plan: don’t change more than one variable at a time
  • Define the rules of engagement (including the scaling up of your systems) so you maintain control when things go south
  • Know your “blast radius” and the disruptive implications of your tests
  • Use a tool that integrates with your SIEM logs (for example, SafeBreach can work with RSA’s NetWitness Platform)

This last item bears further explanation. A SIEM log can easily be overlooked, especially if you are hunting for a single entry in a massive dataset. Security Chaos Engineering tools can automatically find these entries and advise you about their implications – such as changing a too-loosely-defined software access roles policy, for example.

If you haven’t yet examined any of these chaos engineering tools – both for general systems analysis and for security-related issues – now might be the time to take a closer look. It is time for every security team to change their mindset from patching as a result of a security event to becoming more proactive in anticipating future attacks.

RSA blog: Time to give thanks and review our predictions

It is a bit risky writing about the year’s trends and predictions this time around. Certainly, the Covid pandemic has dominated our lives during the past year and thrown many of our predictions out the window. But re-reading my RSA blog post from a year ago, there are still these two themes which are very much at the forefront.

  • Better authentication. In the past year, we saw Apple wholeheartedly embrace FIDO and new implementations that extend its features to web-based authentication. Both will go a long way towards implementing this standard. And support for multi-factor authentication continues to improve too, although it still is far from universal. Only 10% of enterprise users use any form of multi-factor authentication for any of their application logins. Given the popularity of smartphones, installing an authentication app on your phone is the easiest form of protection you can get. But wait, there is more bad news: less than 20% of companies in most industries are protected with email authentication tools such as DMARC and SPF. Sadly, most state and local government domains remain unprotected with these technologies.
  • Ransomware continues to rise. Various reports (such as this one) show a rise in the number and severity of these attacks, with new exploits and variants being seen every week. Some ransomware is designed specifically to target machine learning data, so that models will report bad results and poison automated security solutions.

But let’s look forward, not backward, and certainly we should discuss where we go with Covid. Now that everyone is working from elsewhere, endpoints are being shared across families, making them more vulnerable to exploits. Google has seen 1M daily phishing attempts across its email infrastructure. And there are tons of phishing lures with Covid-related subject lines, or messages that offer free testing or deals on travel. The virus also demonstrated why business continuity and better risk management decision-making is essential.  Security awareness training now starts with the home, and if you are sharing your networks with your family, they need to be trained as well.

RSA’s Anti-fraud group has also found an increase in QR code fraud. These codes became more popular this year to try to promote contactless retail shopping or dining experiences. The bad guys quickly picked up on this trend. They trick users into downloading malicious programs or to use QR codes for a new type of phishing attack that bring users to a malicious copycat website. The above link has a bunch of handy suggestions to discern whether your QR code will bring you to potential malware-infested sites and other tips on how to be more aware of malicious codes.

What does the future hold? We should expect more high-profile victims in 2021. In 2020, Twitter, Zoom, Marriot and Nintendo were the top victims of various social engineering and credential stuffing attacks. None of these were technically sophisticated – the Marriott attack, for example, was successful because it managed to compromise just two employees’ accounts. Better authentication and more security awareness training could have prevented this.

A second issue is that of deep fake videos. What began as innocent and simple photo editing software has evolved into an entire industry that is designed to pollute the online ecosystem of video information. The past couple of years has seen advances in more sophisticated image alteration and using AI tools to create these deep fakes. I also see improvements to that will be harder for recipients to discern, and fakes that will quickly spread across social networks.

Network Solutions blog: How to defend against web skimming attacks

Magecart web skimming group targets public hotspots and mobile users | CSO  OnlineYour eCommerce website is vulnerable to a variety of threats known collectively as web skimming. The hackers behind these threats are getting better at penetrating your site and installing their malware to steal your customers’ money and private information. And web skimming is getting more popular both with the rising frequency of attacks and with bigger data breaches recorded. In this post for Network Solutions’ blog, I describe how these attacks work, reference a few of the more newsworthy ones and provide a bunch of tips on how to prevent your own eCommerce site from becoming compromised.

 

Avast blog: The rise of the OGUsers hacking group

The hacker’s forum called OGUsers has ironically been a tempting target for criminals, with a series of at least three successful hacking attempts in the past couple of years: Once in May 2019, a second time in March 2020, and a third time just last week. In my post for Avast’s blog, I talk about how this forum came to be and its involvement in a series of earlier hacks that it originated as well as more specifics on the three attempts. And a few suggestions on what you can do to prevent your account data from being compromised.

 

Network Solutions blog: an IT professional’s guide to virtual events

You’re in your comfort zone. Maybe you’re solving problems related to IT security, network management or cloud computing. Perhaps you’re helping someone reset their password or get set up on a VPN. Whatever the task is, you feel good about it. You understand your specialty, and you like to stay focused on doing what you do best. Then, one day, someone in your organization messages you and asks you to help run a virtual conference.

Time stops. Your hand freezes on the mouse. The text cursor blinks in the reply field, counting down the seconds until you have to respond. A virtual conference? How do you even start to prepare for something like that?

It might be outside of your wheelhouse, but the truth is that IT professionals like you have a critical role to play in facilitating and troubleshooting virtual conferences. Your team needs your help to ensure the event goes smoothly. You’ll need to choose the right conferencing solution, find event management software that fits your needs and learn how to work with a production team. Then, when the big day comes, you’ll have to perform live troubleshooting to make sure it stays on track.

Download my latest eBook from Network Solutions here to learn more about best practices in supporting virtual events.