Category Archives: Published work

Network Solutions blog: How to Recognize and Prevent Homograph Attacks

Posted on by
Reply

I have written a few times about ways to prevent brandjacking. In this blog post for Network Solutions, I discuss the use of homoglyph or homograph attacks by cybercriminals. These attacks involve exploiting international domain names and the idea is simple to explain once you know a bit of Internet history.

When the Internet was first created, it was based on using Roman alphabet characters in domain names. This is the character set that is used by many of the world’s languages, but not all of them. As the Internet expanded across the globe, it connected countries where other alphabets were in use, such as Arabic or Mandarin. 

Several years ago, researchers discovered the homograph ploy, and since then all modern browsers have been updated to recognize the homograph attack methods of using “xn–80ak6aa92e.com” instead of “apple.com.” I go into the details in my blog post and you can see an example of how a browser responds above.

There is an important lesson here for IT professionals: watch out for injection-style attacks across your web infrastructure. Every element of your web pages can be compromised, even rarely-used tiny icon files. By paying attention to all possible threats today, you’ll save yourself and your organization a lot of trouble tomorrow.

Avast blog: Trying to take down Trickbot

Posted on by
Reply

TrickBot is a malware network that is often described as one of the world’s largest with at least a million PCs. It is once again in the news. Earlier this month, the botnet was the focus of two independent efforts to take it down: from an industry group led by Microsoft and from the US Cyber Command. The TrickBot attempted takedown is just a sign of things to come. What is interesting is how the private and public sector has worked in tandem, using new strategies such as copyright violations and military-grade operations. I go into the details in

 

 

Live blogging at the Avast CyberSecAI conference

Posted on by
Reply

Last year I was fortunate enough to attend in person the CyberSecAI conference in Prague, a unique blend of academic and business researchers and practitioners involved in both cybersecurity and AI fields. This year the conference went completely virtual. I covered most of the sessions through live Tweets and wrote two blog posts that are now up on Avast’s website:

  1. Creating and weaponizing deep fakes. Dr. Hany Farid of UC Berkeley spoke about their evolution, the four different types of fakes, and ways that we can try to solve their challenges. I found his analysis intriguing, and his use of popular figures that were deliberately fakes brought home how sophisticated AI algorithms is needed to flag them definitively.
  2. Understanding bias in AI algorithms. A blue-ribbon panel of experts discussed how to reduce AI algorithmic bias. Should we hold machines at higher standards than we do of ourselves? It was moderated by venture capitalist Samir Kumar, who is the managing director of Microsoft’s internal venture fund M12 and included:
    • Noel Sharkey, a retired professor at the University of Sheffield (UK) who is actively involved in various AI ventures,
    • Celeste Fralick, the Chief Data Scientist at McAfee and an AI researcher,
    • Sandra Wachter, an associate professor at the University of Oxford (UK) and a legal scholar, and
    • Rajarshi Gupta, a VP at Avast and head of their AI and Network Security practice areas.

Part of the problem with defining bias is in separating correlation from causation, which was brought up several times during the discussion.

Mail-in ballots are the new literacy tests

Posted on by
Reply

I was watching a fascinating movie on Amazon called All In. It documents voting suppression history in the US. While we have had various laws, including several Constitutional amendments, their implementation is mostly a local matter. Some local officials have done what they can to deny the vote over the years. For the most part, the documentary is accurate. It features numerous interviews with Stacey Abrams, who lost the Georgia governor’s race in 2018.

The movie comes at an interesting time. In my blog post for Avast this week, I summarize many of the voter suppression efforts that we have seen in the past several years, including leading up to the 2016 and 2018 national elections. There was a lot of data on suppression collected by Mueller. His report  showed that more than 3,500 ads on Facebook were placed by the Russian Internet Research Agency to try to convince potential Black voters to stay home during the 2016 elections. The same group also posted a series of anti-Muslim ads and organized concurrent protest rallies in Texas on opposite political sides. My Avast post has more details on the recent suppression efforts seen this year.

There are efforts to try to encourage everyone to vote, including a major ad spend by a new non-profit group called National Council on Election Integrity.

In the Amazon All In documentary, one person suggests the 2016 efforts should be called “Jim Crow v2.0,” referencing the pre-60s laws (and more recent changes) that made voting difficult by instituting literacy tests and poll taxes. You can see some archived examples of 1960s-era literacy tests here. These tests are almost impossible to pass, even f you have a graduate degree in American Studies.

I want to take things a step further: I think we are now in the Jim Crow v3.0 era. The new literacy test is the result of a confusing series of mail-in and absentee ballot regulations and shifting court challenges that are now happening across our country. My wife and I voted via mail-in ballots in Missouri: it took a lot of re-reading the various instructions, figuring out the steps involved, getting our ballots notarized and then mailed in. Each ballot has to be returned in a matching envelope and is tagged with a QR code that you can scan to check on its progress, to ensure that the elections board received it. (They did.) A good resource is what the Washington Post has put together that tells you when and how you can vote in your state.

But there is a subtle difference between mail-in (which anyone in Missouri can do) and absentee (which you have to certify that you aren’t going to make it to the polls). They have different deadlines and other requirements. For my Avast blog, I got to talk directly to Trevor Timmons, the CIO for the Colorado Department of State, the agency that supervises its elections. In its June 2020 primary, more than 99% of registered voters submitted mail-in ballots. Colorado is one of those “universal” mail-in states, meaning that every registered voter will receive a mail-in ballot. You can come and vote in person, but most people don’t. You can also register and vote on election day, something only a few states have.

After I had mailed in our ballots, I had a senior moment where I thought I swapped my ballot and put it in my wife’s return envelope, and vice-versa. Timmons told me that they specifically look out for these situations and still validate both ballots: “It is a common error that takes manual intervention to resolve, but it is resolved quickly.”

What about fraud with mail-in votes? If you examine this page from the Heritage Foundation, you can see their dashboard of fraud has found 1,300 cases. That sounds like a lot but not when you compare that with the hundreds of millions of votes cast. Timmons is more worried about election security, and has put a series of measures in place, such as MFA required for all election judge since 2013), applying current software patches and using other endpoint detection tools to stop malware attacks. “We have seen ransomware incidents in some of our counties that compromised other agencies. We detected them when the attacks attempted to move to the elections boards and we were able to stop their spread.”

Meanwhile, October hasn’t been without its election systems hiccups. Voter registration systems were overwhelmed in Florida. Georgia’s electronic voting machines had some issues on the first days of early in-person voting, and Virginia’s and Pennsylvania’s online registration systems were both down thanks to a construction crew cutting a fiber cable and a systems crash in a data center, respectively.

Network Solutions blog: How Microsoft Teams Enhancements Protect Collaboration

Posted on by
Reply

As remote working has increased in popularity, better collaboration tools have become more of a necessity. Microsoft has been paying attention to this trend of course and recently announced numerous enhancements to its Teams platform. Teams has been around for more than a year and combines chat and instant messaging with video conferencing. Most of its newest features are only available on the latest version of its Windows desktop app that was released at the end of July: the web browser and Mac versions are not yet at feature parity.

If you think of Teams as just being a mind-meld between Slack and Webex, you would be underestimating what Microsoft is trying to do with this software. And with the latest update, Microsoft aims to make Teams more of the connective tissue that will bring together its various Office applications, as well as a platform that can enable better collaboration among office workers. This post for Network Solutions’ blog goes into the details.

 

CSOonline: Homomorphic encryption tools find their niche

Posted on by
Reply

Organizations are starting to take an interest in homomorphic encryption, which allows computation to be performed directly on encrypted data without requiring access to a secret key. While the technology isn’t new (it has been around for more than a decade), many of its implementations are, and most of the vendors are either startups or have only had products sold within the past few years. While it’s difficult to obtain precise pricing, most of these tools aren’t going to be cheap: Expect to spend at least six figures and sign multi-year contracts to get started.

I review the early products in this market for CSOonline, describe some of the typical use cases, and provide some suggestions on how to evaluate them for enterprise uses.

Network Solutions blog: How to Counter Darkweb Threats With Proactive Security

Posted on by
Reply

Most of us tend to think about the web as a single destination, available through our browsers on our laptops and phones. But over the years there is a much more sinister portion of the web, called the dark web that isn’t easily discoverable by traditional search engines and could contains threats to your business operations and harm your reputation. I describe this shady underbelly and what kinds of information is available there, along with suggestions of tools that you can use to be more proactive about your security such as EchoSec Beacon,  Dark Owl ScannerSixGill’s DarkfeedRecorded FutureZeroFox and Digital Shadows’ Searchlight. These tools can help to provide near real-time access to threat data that is being shared on the darkweb on a variety of discussion forums and other places, again as a way to learn about the early stages of an attack.

Read my post on Network Solutions blog here.

Avast blog: Zerologon is a Nasty Windows Server Domain bug: Patch now!

Posted on by
Reply

A new vulnerability in Windows domain controllers has been discovered by security researchers at Secura. In a published paper in September, they found the cryptographic flaw and called it Zerologon. It takes advantage of the Netlogon Remote Protocol that is used in the authentication process. All that is to exploit this flaw – and compromise a wide variety of Active Directory identity services — is a TCP-level connection to the domain controller itself. Secura published a test tool on Github that can tell you whether a domain controller is vulnerable or not. Researchers have seen evidence of its use in the wild already, which is why you want to patch your servers asap.

You can read more about this scourge on my Avast blog post.

Internet Protocol Journal: Selling my IPv4 block

Posted on by
Reply

If your company owns a block of IPv4 addresses and is interested in selling it, or if your company wants to purchase additional addresses, now may be the best time to do so. For sellers, a good reason to sell address blocks is to make money and get some use out of an old corporate asset. If your company has acquired other businesses, particularly ones that have assets from the early Internet pioneers, chances are you might already have at least one range that is gathering dust, or is underused.

So began an interesting journey for me and my range of class C addresses. It took months to figure out the right broker to list my block and to work through the many issues to prove that I actually was assigned it back in the mid 1990s. Thus began my own journey to correct this information and get it ready for resale. The process involved spending a lot of time studying the various transfer webpages at ARIN, calling their transfer hotline several times for clarifications on their process, and paying a $300 transfer fee to start things off. ARIN staff promises a 48-hour turnaround to answer e-mails, and that can stretch out the time to prepare your block if you have a lot of back-and-forth interactions, as I did.

You can read my report in the current issue of the Internet Protocol Journal here. I review some of the historical context about IPv4 address depletion, the evolution of the used address marketplace, the role of the block brokers and the steps that I took to transfer and sell my block.

Avast blog: When not to accept cookies

Posted on by
Reply

Nearly any website you visit asks you to accept cookies, and most of us don’t even think about this choice — we just click “yes” to rid ourselves from the pain of the pop-up. But what are we really agreeing to? What is a cookie, anyway? These small text files were first used in browsers back in 1994 and soon became ubiquitous. Cookies can be used for both productive and evil reasons, and I try to sort them out and show you how to avoid them.

You can read more in my blog post for Avast here.