CSOonline: How to choose the best VPN for security and privacy

Posted on April 21, 2022 by dstrom

Enterprise choices for virtual private networks (VPNs) used to be so simple. You had to choose between two protocols and a small number of suppliers. Those days are gone. Thanks to the pandemic, we have more remote workers than ever, and they need more sophisticated protection. And as the war in Ukraine continues, more people are turning to VPNs to get around blocks imposed by Russia and other authoritarian governments,

A VPN is still useful and perhaps essential to a modern mostly remote workplace. In this post for CSO, I describe these scenarios, what security researchers have found about how VPNs leak data or have other privacy issues, and what you should look for if you intend to deploy them across your enterprise.

Avast blog: Introducing important changes to credit card data security standards

Posted on April 19, 2022 by dstrom

The Payment Card Industry Data Security Standards (PCI DSS) organization has made a series of updates to its standards with its latest version 4.0. It contains several important improvements, perhaps the most important change is the expansion of encryption and MFA requirements to protect all accounts that have access to cardholder data. I describe these developments in my post for Avast’s blog here.

More on the Pegasus Project

Posted on April 18, 2022 by dstrom

Since I last wrote about the NSO Group’s Pegasus mobile spyware last summer, there have been several new developments that show just how insidious the software is and how pervasive its use around the world.

Pegasus can be placed directly onto a target’s smartphone without any user interaction and can then start tracking a phone’s location and operations. Last year a consortium of journalists revealed who was using the spyware after doing extensive forensic research on dozens of phones. This resulted in the US Commerce Department putting NSO on a block list, the DoJ beginning investigations and Apple suing the company. Then we saw two developments from last December: first, Apple notified a bunch of US State Department employees in Uganda that their phones have been hacked. And Pegasus was found to be used to track Jamal Khashoggi and residue was found on one of his wives’ phones.

There were other reports that the FBI had tried out Pegasus but didn’t actively use it, or at least not that anyone could prove. And that a security researcher had decompiled several code samples and documentation.

Just recently, the Citizen Lab — one of the research groups involved in last summer’s project — found more cases of Pegasus used on dozens of Catalan phones, probably at the direction of various government entities in Spain. One of the researchers found a previously-unknown iOS zero-click exploit. The more we find out about Pegasus, the more I am convinced this tool spells trouble.

Again, I want to emphasize that your chances of getting infected with Pegasus are very, very low. But it does seem to crop up frequently enough, and now in places that you would think would be curious as they are free, democratic countries. NSO representatives continue to maintain that they carefully vet their potential customers and say its software is intended to investigate terrorists and potential criminals. But given that its residue has been found on phones of political figures, journalists and human rights workers, I wonder how careful this vetting process really is.

Avast blog: Yandex is causing serious data privacy concerns for mobile users

Posted on April 8, 2022 by dstrom

Yandex — Company news Private data could be collected from thousands of Android and iOS apps,according to security researchers. The issue revolves around Yandex, the leading search engine in Russia, and how this data might be available to Russia state agencies. In addition to being a search portal, Yandex also makes an SDK called AppMetrica, which does app usage analytics and marketing and is similar to Google’s Firebase. The SDK has been incorporated into more than 52,000 different apps, including games and messaging apps.

In this post for Avast’s blog, I provide details about the problems with this SDK and things to watch out for when you download your next app.

Avast blog: Understanding how cybercrime group FIN7 has evolved into a major ransomware player

Posted on April 8, 2022 by dstrom

Malware group FIN7 is once again on the move, leveraging software supply chains, remote program execution methods, and stolen credentials to deliver ransomware to enterprise networks. The group goes by several different names and is adept at using various backdoor tools to worm their way into corporate networks. You can see the various malware programs that have been attributed to FIN7 over the past two years in the diagram below from Mandiant.

You can read more about their exploits in my latest blog for Avast here.

Avast blog: New digital threats targeting backup power supply systems

Posted on April 5, 2022 by dstrom

TLStormBugs Security researchers have uncovered a new series of threats that are targeting uninterrupted power supply (UPS) units. These threats can result in malware attacking the computers connected to the same networks through a variety of clever mechanisms.

The three threats affect most of the Smart UPS line of APC backup power supplies that are widely used by larger enterprise customers. I write about this for Avast’s blog here.

CSOonline: How to evaluate SOC-as-a-service providers

Posted on March 29, 2022 by dstrom

Not every organization that needs a security operations center can afford to equip and staff one. If you don’t currently have your own SOC, you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation.

Since I first wrote this piece back in 2019, the SOC-as-a-service (SOCaaS) industry has matured to the point now where the term is falling into disfavor as managed services vendors have become more integral to the practice. As cloud-based security tools have gotten better, data centers and applications have migrated there as well. Some of the services I discuss in this updated article fo CSOonline call themselves SOCaaS, while others use other managed services designations. I cover what they offer and how to pick the right supplier for your particular needs.

And to help you evaluate your own SOCaaS providers, I wrote this 2019 article that outlines what you should have in your RFPs.

Avast blog: New survey shows a widespread lack of cybersecurity preparation in SMBs

Posted on March 25, 2022 by dstrom

A marketing firm asked 1,250 small business owners (with fewer than 500 employees) about their cybersecurity practice, and the results are pretty staggering. They largely show that most aren’t doing much to prepare for potential attacks, and for those that have done some work, it often falls far short.

Nearly half of the business owners surveyed don’t have any defensive measures in place, and a third have no protection whatsoever against cyberattacks. And less than a third have implemented regular data backups or made use of secured networks, two of the reasons why ransomware continues to be effective. You can read my analysis in Avast’s blog here.

Avast blog: Watch out for browser-in-the-browser attacks

Posted on March 23, 2022 by dstrom

A man-in-the-middle (MITM) attack consists of a victim, a website the victim would like contact with (such as a bank), and the attacker. The attacker inserts themselves between the victim and the targeted website with the intention to steal personal information such as login credentials, or bank account and credit card numbers. MITMs have consistently been an active development strategy for hackers.

There are several different types of these attacks, including ones that involve running software on a webpage that can infect your computer through your browser. One of them is gaining traction (from the attackers) and is what one security researcher calls browser-in-the-browser. The idea here is that a hacker can write some JavaScript code to present a pop-up window that is another phishing phony to lure you into typing your account information. Look at the two screens reproduced above: it is hard to figure out which is real and which is a threat.

I wrote about this for Avast’s blog here. One way to prevent this exploit is to use a secure browser (such as one from Avast or Brave).

CNN: The best VPNs for 2022

Posted on March 21, 2022 by dstrom

CNN had me review a bunch of VPN services for their Underscored site. I looked at 11 different products. I don’t have to tell you why you should use a VPN. But no product can 100% handle the trade-off among three parameters: anonymity, or the ability to move online without anyone knowing who you are; privacy, or the ability to keep your own data to yourself; and security, or to prevent your computers and phones and other gear from being compromised by a criminal. You can’t do all three completely well unless you go back to pen and paper and the Pony Express. Using a VPN will help with all three aspects, and some are better than others at balancing all three.

My two favorites were Mullvad.net and IVPN.net. Both use a novel idea to ensure that they don’t know anything about you — when you download their software, you are assigned a random string of characters that you use to identify yourself. No email necessary. If you don’t want to use your credit card, you can pay via alt-coins too. Consider this a “single-factor” authentication. That means no password is required once you have entered your code, it is unlikely that anyone can guess this code or find it on the dark web (unless you reuse it, which you shouldn’t), and there is little chance anyone could connect it back to you even if they did manage to get a hold of the code in a breach.

Both vendors don’t have the largest server networks (that title is shared by Hotspot Shield, Private Internet Access, ExpressVPN and CyberGhost). But each of these are owned by corporate entities that play fast and loose with your private data (Aura and Kape Technologies). If you want to spend more time understanding the privacy issues, check out Yael Grauer’s excellent analysis for Consumer Reports Digital Lab here.

Not on my recommended list is the VPN that I have been using for the past several years — ProtonVPN (shown above). I am of two minds here. On the plus side, I have a fond spot in my nerd heart for Proton, the Swiss company that was an early proponent of encrypted email. But the VPN product is slower, more expensive, harder to use and more of an “OG” VPN that requires emails and credit cards to subscribe. Yael’s report also mentions some privacy difficulties with the service, as well as those well-advertised services mentioned above that have leaked data or aren’t as transparent as they claim to be.

If you leave home, you need to run some kind of VPN. Period.

Web Informant

David Strom's musings on technology

Category Archives: security