What color are your patch cables

(With apologies to Richard Bolles)

I was reading through my Twitter and came across this idea, taken from real life experiences of operations managers. The idea is to have an enterprise network-wide kill switch that can disconnect you from the internet and shut everything down as quickly as possible, in case of various emergencies.

Remember a common scene in many movies where the bomb squad comes in and tries to disarm the weapon? Armed with nothing more than a pair of wire cutters, they have to find the (always it seems) red wires and cut them just before the countdown clock reaches zero, while the dramatic musical score swells to a nail-biting crescendo.

So here is one suggestion: Use red patch cords in the networking closet and other critical locations to indicate the actual cables needed to be yanked in case of cyber emergency. Better yet, document their locations in your incident playbooks and other places where you have your network documentation. (That assumes your documentation is actually up to date with the reality of your cable and server plant, which isn’t always a safe assumption. Here you can see a memorable pic of the time I visited one of CheckPoint’s labs and the sad state of this particular wiring closet.)

Now, in real life, things aren’t so simple. There are various dependencies among your equipment, and chances are just pulling the cables may cause more damage than it solves — depending on the particular emergency you are responding to. And as I wrote in that blog linked above, taking  documentation seriously means keeping up in near-real-time with any changes to your network and applications infrastructure, otherwise it quickly becomes useless.

Happy holidays for those of you so celebrating.

Avast blog: New deepfake video effort discovered

Since I wrote about the creation and weaponization of deepfake videos back in October 2020, the situation has worsened. Earlier this month, several European mayors received video calls from Vitali Klitschko, the mayor of Kyiv. These calls turned out to be impersonations (can you tell which image above is real and which isn’t?), generated by tricksters. The mayor of Berlin, Franziska Giffey, was one such recipient and told reporters that the person on these calls looked and sounded like Klitschko, but he wasn’t an actual participant. When Berlin authorities checked with their ambassador, they were told Klitschko wasn’t calling her. Fake calls to other mayors around Europe have since been found by reporters.

Were these calls deepfakes? Hard to say for sure. I cover the issues and update you on the advances, if you can call them that, about deepfake tech for my Avast blog today.


Avast blog: RSocks criminal botnet taken down

Last week, the US Department of Justice announced the takedown of Russian IoT botnet and proxy service for hire RSocks. Working with various European law enforcement agencies, the FBI used undercover purchases of the site’s services to map out its infrastructure and operations. RSocks compromised its victims by brute forcing attacks on various IoT devices as well as smartphones and computers.

You can read my latest Avast blog post about RSocks here.

Avast blog: How the US government deals with zero-days

While withholding a zero-day’s existence can provide some government advantage, it can potentially harm the rest of us and break many elements of the global internet if vulnerabilities aren’t disclosed and patched.

By now, you probably know what a zero-day vulnerability is: In simple terms, it’s the discovery Lindsey Polley, PhDof software and hardware coding errors that can be exploited by attackers. Some of these errors are found by government researchers, intentionally looking for ways into foreign agency networks to spy on their enemies. Sometimes, our governments and even some private companies keep deliberately mum about these vulnerabilities for many years.

I had an opportunity to interview Lindsey Polley and how she is trying to improve our government’s response to managing its zero-days for my Avast blog.

Apple’s new privacy push

Have you seen this new TV spot from Apple called “Data Auction”? It is really bugging me. I must have seen it about 50 times on various streaming services. While it does a great job of showing how your personal information is being traded by data brokers, it takes tremendous license with its visual elements and how its iOS operating system actually works.

Apple has been improving its privacy protection over the past several years, so I give them some props for trying. But unless you are determined and really patient, fixing your phone (or other fruit-filled device) up the way you’d like it to preserve your privacy isn’t simple, and chances are you’ll probably get it wrong on the first try.

Apple’s commercial touts new features that they have added to iOS over the past couple of years: the ability to prevent third-party apps and advertisers from tracking your movements, including across your app portfolio, browsing and through using its Mail app. They both can eventually be found in the Settings/Privacy/Tracking screens. As we watch our hapless actor “Ellie” wander into her data auction, she fortunately has her iPhone at hand and is able to zap the auction audience into smoke with the press of A Single Button. Too bad that isn’t the actual iOS interface, which has a very confusingly labeled slider “Allow Apps to Request to Track” that should be off if you want to do the same thing (data oblivion). There is another button that Ellie used to rid her emails of trackers.

Okay, it is a very effective commercial. And I am glad that Apple has taken this approach to help users’ privacy. But why not use the actual UI? And better yet, why not hide it three menus deep where few can find it?

Apple has some interesting developments for iOS 16 that will be out later this fall, including one called “Safety Check” that Elllie will really love, especially if she has an abusive partner or a cyber stalker. Maybe if they use the same actor we can get a more faithful representation of what real users will have to do.

Have you hired a North Korean full stack developer?

Chances are unlikely. But what is really scary is that it could have already happened, and you just didn’t realize it. A report from various US federal agencies was published a few weeks ago, offering guidance on IT workers who are trying to get a job in your company while posing as non-North Koreans. You probably already know that the country has trained thousands of workers in various IT disciplines to generate revenue for the government. In the past, these efforts have mostly involved developing malware (such as this notice from CISA about targeting blockchain companies) and launching ransomware attacks. But lately they have turned to a new ploy: creating credible resumes for job seeking candidates that will get hired and help to launch attacks from within the company. Thanks to the pandemic and an increase in remote work, this has become a real risk.

While many of the candidates were immediately found lacking (one hiring manager said it was obvious they didn’t have the right knowledge or skills), still this notice gives me pause. It is the ultimate supply chain attack, because it is aimed at the growing shortage of full-stack and other agile developers. The feds report that thousands of them are taking on IT contracts all over the world, with many of them in North Korea, Russia and China. At salaries of US$300,000 or more, that can generate a lot of income for North Korea — the individual IT workers of course see little of those funds. The candidates possess remarkable skills in a wide variety of disciplines, such as mobile app development, AI-related apps, and database development.

Of course, if one of these phonies is actually hired, their firm can face all sorts of legal and financial penalties, given the numerous sanctions that have been created to prevent any kind of trade with North Korea. In many cases, firms downplay this threat, thinking that North Korean IT workers aren’t that sophisticated. The government report disagrees and sounds a clear warning.

The report has numerous ways you can tell you are dealing with a bad actor, and I use the term both literally and in the cyber sense. For example, the candidates have too-good-to-be-true reviews on the hiring websites, and the reviews collected in a very short time period. Their “extensive” knowledge doesn’t hold up under questioning (of course, this means you have to be prepared to vet them carefully with the right questions) and have long latencies in their video conferencing calls that don’t match their stated location — many candidates will claim a US college or technical degree and US residency. Just considering three of North Korea’s top schools, more than 30,000 students are currently studying various IT topics, and there are now more than 85 programs in 30 schools offering various STEM curricula.

North Korean “IT workers may share access to virtual infrastructure, facilitate sales of data stolen by North Korean cyber actors, or assist with their country’s money laundering and virtual currency transfers,” says the report. They hide their true identity behind third-party shell companies, or play the role of a subcontractor to a legitimate company. They are proficient in English and Chinese, although not as proficient if you know what to listen for to ferret out their accents. They make use of forged or stolen identity documents, using the names of actual employees and email addresses that appear to be from a Western business domain. They construct phony portfolio websites that don’t usually stand up to scrutiny. The trick is to provide the actual scrutiny during the interview process.

The report lists other “tells” and red flag warnings, such as using a non-standard remote desktop software tool or a low proportion of accepted bids on projects or referencing non-functioning websites. Of course, if someone were to vet my previously published work, you would find some similarities to the numerous dead B2B IT websites that I wrote for in the 1990s, but let’s not go there for now.

DPRK-Vertical-PosterTo mitigate and properly vet these phonies, the report authors suggest that all identity documents be carefully scrutinized and verified independently, and any low-res versions rejected. Video interviews showing the candidate should be conducted carefully, and the candidates also questioned carefully. Employers should conduct background checks, verify education directly with the college and avoid making any virtual currency payments and verify banking accounts. The DoJ has its “rewards for justice website” (shown above) where you can submit a tip and perhaps claim a substantial reward.

Avast blog: Key takeaways from Verizon’s 2022 DBIR

It’s time for the annual Verizon Data Breach Investigation Report (DBIR), a compendium of cybersecurity and malware trends that offers some of the best analyses in our field. It examines more than 5,000 data breaches collected from 80 partners from around the world. This year’s DBIR offers practical advice on improving your security posture and tips for making yourself much less of a target. From the SolarWinds attack to the growth in ransomware, there is a lot to discuss.

As shown above, we’re patching more and we’re patching faster. And we are generally getting better at detecting attacks in a timely manner.

Network World: New ways enterprises can use VPNs

The pandemic has accelerated the development of better ways to serve and secure remote workers, which make it a good time to re-examine VPNs. Recently VPNs have received technical boosts with the addition of protocol options that improve functionality far ahead of where they were when first invented. At the same time, new security architectures zero trust network access (ZTNA), secure access service edge (SASE), and security service edge (SSE) are making inroads into what had been the domain of remote-access VPNs.

In my latest post for Network World, I talk about ways that VPNs can complete ZTNA.

Avast blog: How license plate scanners challenge our data privacy

A security camera at one of ...As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy and efficacy of these tools. Stories have appeared in local newspapers, such as those in St. LouisLouisville and Akron that document the rapid rise of Flock license plate camera data and how it can be a central source of vehicle movements.

These stories highlight some of the privacy implications of APLRs and also recall some of the same issues with the growth of other massive private data collections. In my latest blog for Avast, I describe what’s going with these APLR systems, some of the issues raised by privacy advocates, and how they compare with the DNA/genetic testing data collections.



Avast blog: How to defeat social engineering attacks

ImageIf you have heard of the process of social engineering, the ability of a hacker to trick you into divulging your private details, then you might have come across ethical hacker Rachel Tobac. She’s the CEO of SocialProof Security and board member of Women in Security and Privacy. I virtually attended one of her more recent talks, during which she explained her craft and gave some suggestions on how we all can improve our personal security and make her job more difficult.

Tobac has carried out some notable security stunts in the past, such as live hacking a CNN report’s accounts and stealing his airline points. “I hack so people can understand how hackers think and hopefully you will avoid these mistakes,” she told her audience.

You can read more about her talk — and how to harden your own defenses against social engineering attacks — in my latest blog for Avast here. And if you want to watch a great documentary about the teens behind the 2020 Twitter hack, you can find it streaming on Hulu here,