By now you have heard about the latest Facebook data breach that exposed private data from more than 500M accounts. You can follow the steps to take on my latest blog post for Avast here where you can walk through what you need to do to enable two-factor authentication on your accounts.
Unfortunately, Facebook (and Google) don’t make authentication particularly easy. And to make matters worse, both companies have the habit of changing their menu options to confound even those who have done it previously. My recommendation is to use a web browser, rather than mobile apps, for these activities. This is because you’ll want the additional screen real estate and some of the options are more difficult to find in mobile apps.
Identity and access management (IAM) in enterprise IT is about defining and managing the roles and access privileges of individual network entities (users and devices) to a variety of cloud and on-premises applications. The overarching goal of identity management is to grant access to the enterprise assets that users and devices have rights to in a given context. That includes onboarding users and systems, permission authorizations, and the offboarding of users and devices in a timely manner.
However, part of the problem are the users and their love/hate affair with their passwords. We all have too many passwords, making the temptation to share them across logins – and the resulting security implications – an issue.
You can read my post for CSOonline here.
Ransomware continues to be a blight across the landscape and has gotten new life thanks to the pandemic and a growing collection of capabilities to make malware operators more potent. While using both cloud computing (what is somewhat mistakenly called ransomware-as-a-service or RaaS) and extortion techniques aren’t new, they are being deployed more often and in more clever and targeted ways than ever before. This has brought a rise in overall ransom attacks and in demanded payouts. One report has average ransom demands increasing by a third since Q32019.
In this blog post for Avast, I describe what RaaS is and how it is being exploited by the Darkside crime group.
If you are compromised by Darkside, there is this decryptor tool available. Suggestions (as with other ransomware preparation): ensure your backups are intact and accurate, intensify phishing awareness and education, and lockdown your accounts with MFA.
It has been a bonus year for cyber criminals. The FBI’s Internet Crime Complaint Center (IC3) received nearly 800,000 complaints about cybercrime last year, more than two-thirds of a jump from what was seen in 2019. About a third of these complaints are from phishing attacks. The report summarizes data submitted by the general public and businesses on its website portal and is produced each year. Over $4 billion in losses attributable to these complaints was calculated, the most ever for what has been seen in one of these reports.
In my blog post for Avast, I summarize what was reported to the IC3 in the past year and suggest some simple strategies that individuals and businesses can take to prevent them.
It has been one of the first things that most remote workers learn: use a Virtual Private Network (VPN) to connect your laptop when you aren’t in the office. And given that many of us haven’t stepped foot in our offices for months, using a VPN now is ingrained in our daily computer usage. But as VPNs have gotten popular, they are also getting harder to keep secure. Various reports document that private data from 20M users have been leaked because of poorly implemented VPNs, including email passwords and home addresses.
In this post for Network Solutions’ blog, I discuss ways to prevent data leaks from happening and to better secure your VPNs, along with links to the most trusted reviewers of these products.
The not-so-dirty secret about web browsers is that browser extensions can be a major security weakness. But the problem with extensions deserves further treatment, especially as they can combine some very clever supply chain and obfuscation methods to make these kinds of attacks harder to detect and defend. These extensions are powerful tools: they have the same ability as your user account to obtain read/write access to any data in any browsing session you bring up, which makes exploiting them a big issue. Many extensions don’t require any special permissions to run on your computer or phone.
I write about how extensions can be exploited and what you can do to protect yourself in my latest post for Avast’s blog here.
Data privacy legislation is a difficult topic to get your head around. There can be multiple dimensions, sector-specific rules, and various national and, in some cases (such as in the US), local laws enacted to cover a multitude of issues. But the good news is that there are several US states which are on track to pass new data privacy laws during 2021. Some of these laws focus on consumer protection, while others concentrate on regulating data brokers or how ISPs should protect their customers’ data. Let’s review the progress and what is being proposed in my latest blog for Avast here. This could make 2021 the year that privacy laws become more pervasive in the US.
We all got an update on the quality of deepfake videos last week with the popularity of a set of videos of “DeepTomCruise” on TikTok. I have been keeping track of these videos, created by various computer programs, and last wrote about them for Avast here. It doesn’t take too much imagination to see how this technology can be exploited, but lately there are some positive things to say about deepfake vids. Let’s go to Korean TV, covered by this story in the BBC.
The announcer shown in the screen grab above is supposed to be the anchor Kim Joo-Ha, one of the regulars on the MBN channel. It looks pretty ordinary. But she was replaced by a computer program that generated a digital copy that mimicked her facial expressions, voice and gestures. Now, before you get all in a twist, viewers were told ahead of time that this wasn’t the real Kim and the network was using it as a test. One place that deepfakes could be useful is during real breaking news reports where they have to put someone on air quickly (as opposed to what American cable news calls breaking news).
Deepfake videos are increasingly being used for legitimate purposes, such as Synthesia, a London-based firm that creates corporate training videos. The tech can be useful and cut production costs significantly if you are trying to produce a series in different languages and don’t want to hire native speakers. USC’s Shoah Foundation has produced a series of deepfake video interviews of Holocaust survivors, and the public can ask questions from the survivors and get their answers in real-time — all assembled by computers from hours of videotaped interviews.
The issue is the negative taint that has been part of the deepfakes. In my post for Avast, I mentioned four different categories, including porn, misinformation campaigns, evidence tampering and just plain fraud. Clearly, that is a lot of tempting places for criminals to use them. So we have some work ahead to swing to more legitimate uses.
Also an issue: who owns the rights to the person that is depicted, particularly if the person is no longer alive? This means some truth in labelling, so that viewers — like in the Korean example cited above– know the exact situation.
One of the long-time FIDO supporters gave testimony to its biggest benefits at the recent Authentication 2020 conference. The speaker was Marcio Mello, who is the head of Product for Intuit’s identity and profile platform. The benefits are saving money and time when users have to login to their SaaS financial offerings from Intuit, a company who has been interested in FIDO for years.
You can read more on my post for Nok Nok’s blog here.
Yesterday Google announced that they will completely eliminate third-party browser cookies. Calling it a move towards a more privacy-first web, as their director of product management who wrote the post claimed, is a bit of a misnomer. Yes, they will phase out tracking these cookies on their Chrome browser. But they will still track what you do on your mobile phone, especially an Android phone, and track what you do on their own websites, including YouTube and its main search page. And they will still target the ads that you see from these activities.
The announcement was expected: last year they announced their plan to de-cookiefy their browser. They basically had to — Safari and Firefox have blocked these cookies for years, so it was high time Google got on board this train. They have come up with a variety of technologies and tools that sound good at first blush, but I am not sure that these replacements are better, especially for preserving privacy. One of them is called the Privacy Sandbox. Now, sandboxes have certain implications, especially for security researchers. The goal is to limit who can view what is going on inside the sandbox, and more importantly, who can’t. It seems that smaller advertisers will have to find some other place to play, but the big guys will still have the means to figure out who you are and more importantly, what you are interested in, to target their advertising. Vox’s Recode says that “Google will still technically deliver targeted ads to you, but it will do so in a more anonymous and less creepy way.”
Firefox has a better idea: to limit the reach of cookies to just the website that places them on your hard drive. They call it Total Cookie Protection and you can follow the links on their blog to understand more of the details. It does seem to eliminate web tracking cookies, but we’ll see as they roll it out across their browsers.
In the meantime, if you use any Google products, go to your Google Account and review the numerous personalization settings you have at your disposal to rid yourself of tracking, including their activity controls, ad personalization, and recorded activity history. And if you are using an iOS phone or tablet, make sure you update to iOS v14 and enable the ability to block cross-app tracking.