CNN: The best VPNs for 2022

Posted on March 21, 2022 by dstrom

CNN had me review a bunch of VPN services for their Underscored site. I looked at 11 different products. I don’t have to tell you why you should use a VPN. But no product can 100% handle the trade-off among three parameters: anonymity, or the ability to move online without anyone knowing who you are; privacy, or the ability to keep your own data to yourself; and security, or to prevent your computers and phones and other gear from being compromised by a criminal. You can’t do all three completely well unless you go back to pen and paper and the Pony Express. Using a VPN will help with all three aspects, and some are better than others at balancing all three.

My two favorites were Mullvad.net and IVPN.net. Both use a novel idea to ensure that they don’t know anything about you — when you download their software, you are assigned a random string of characters that you use to identify yourself. No email necessary. If you don’t want to use your credit card, you can pay via alt-coins too. Consider this a “single-factor” authentication. That means no password is required once you have entered your code, it is unlikely that anyone can guess this code or find it on the dark web (unless you reuse it, which you shouldn’t), and there is little chance anyone could connect it back to you even if they did manage to get a hold of the code in a breach.

Both vendors don’t have the largest server networks (that title is shared by Hotspot Shield, Private Internet Access, ExpressVPN and CyberGhost). But each of these are owned by corporate entities that play fast and loose with your private data (Aura and Kape Technologies). If you want to spend more time understanding the privacy issues, check out Yael Grauer’s excellent analysis for Consumer Reports Digital Lab here.

Not on my recommended list is the VPN that I have been using for the past several years — ProtonVPN (shown above). I am of two minds here. On the plus side, I have a fond spot in my nerd heart for Proton, the Swiss company that was an early proponent of encrypted email. But the VPN product is slower, more expensive, harder to use and more of an “OG” VPN that requires emails and credit cards to subscribe. Yael’s report also mentions some privacy difficulties with the service, as well as those well-advertised services mentioned above that have leaked data or aren’t as transparent as they claim to be.

If you leave home, you need to run some kind of VPN. Period.

Linode: How to Build an Information Security Risk Management Program

Posted on March 21, 2022 by dstrom

Understanding and quantifying information security risks lies at the heart of many security issues. If you can’t quantify risks, you can’t address how to protect your data assets, corporate secrets, and employees’ and customers’ privacy and information. Managing these risks and improving security is everyone’s responsibility, not just the province of the IT department. Businesses are moving in this direction in part because of the Covid pandemic, and also because more companies are becoming dependent on digital technologies, thus increasing their potential attack surface. More sophisticated attack methods make the world of security risk management more complex and important to understand.

In this post for Linode, I describe what is Information Security Risk Management, why it matters for businesses, how to develop an appropriate plan (such as the above suggestions from a recent Dragos report above) and get management buy-in, and why you should periodic risk assessments.

CSOonline: Top tools and best practices for WordPress security (2022)

Posted on March 16, 2022 by dstrom

If you run a WordPress website, you need to get serious about keeping it as secure as possible. WordPress continues to be a widespread target for hackers. There have been numerous breaches over the years and WordPress has become more popular with both its customers and hackers. I have been using it as my main blogging platform for more than a decade, and secure it with free versions of Wordfence and MiniOrange MFA tools. In my updated post that I originally wrote for CSOonline several years ago, I examine what has changed and why you need to be deliberate and serious about securing your blog.

Avast blog:

Posted on March 10, 2022 by dstrom

US President Joe Biden recently issued an executive order that will oversee various cryptocurrency efforts, including a study of whether there should be a virtual dollar-based cryptocoin, the efficacy of various future banking regulations for the Federal Reserve, and the roles for executive agencies including Treasury, Justice and Homeland Security on how to best manage crypto markets. Additionally, those of you who have already begun doing your US federal taxes might have noticed that the IRS now wants you to document your crypto holdings for the past year.

These moves show that crypto is moving quickly into the mainstream. And with mainstream acceptance also comes the criminal element. Cryptocurrency-based crime hit new levels last year, doubling the amount collected from 2020 to $14 billion. According to a new report by Chainalysis, 2021 criminal crypto transaction volumes skyrocketed by more than six times what was seen in 2020. In this post for Avast, I explore some of the other trends in crypto crime, its intersection with ransomware, and what law enforcement is doing to stop it.

Avast blog: Tips for securing your WordPress website

Posted on March 2, 2022 by dstrom

Last November, more than 1 million GoDaddy-managed WordPress customers were part of a breach that could have exposed their email addresses, private SSL keys, and admin passwords. The attacker was apparently able to operate undetected inside their networks for two whole months. This is just one data point in a long history of past exploits because WordPress has been a very rich and desirable target. There are numerous things you can do to protect your site, including using two tools that I have been using (Wordfence and MiniOrange, shown here).

You can read more about how to secure your WordPress site on Avast’s blog. If this is a new topic for you, you shouldn’t operate WordPress without making use of these steps — even if you gradually add in individual security measures one by one.

Avast blog: A 2022 update on data privacy legislation

Posted on February 23, 2022 by dstrom

Last year, Mississippi didn’t pass its privacy bill and more than a dozen states had bills that are still under consideration. Iowa, Indiana, and Oklahoma are all in the process of moving various privacy bills through their legislatures, and several other states have begun to consider new laws. Also, seven states are considering biometric information privacy legislation.

The most comprehensive source remains the above annotated map from Husch Blackwell, which will link you to each state’s legislation. If you are looking for more analysis, this page from the National Conference of State Legislatures has more contextual explanations.

In my latest post for Avast, I review some of the recent developments and further refinements on the three states that have enacted privacy legislation — California, Colorado and Virginia.

An open letter to Gov. Mike Parson

Posted on February 22, 2022 by dstrom

Several months ago, our governor began an attack on Josh Renaud, a reporter for our local newspaper, the St. Louis Post-Dispatch, about an article that he wrote about a vulnerability he found in a state website. Since then there has been plenty of coverage by the paper, including the latest events this week showing the governor’s efforts were wrong, misplaced, and counter-productive. (And Brian Krebs also covered it this week as well.) I exchanged some email with Renaud, and he suggested I use my platform to explain my POV and shed some light on what happened. So here goes a letter that I will also send to Parson.

Dear Governor Parson:

The hardest thing about being a great leader is to admit you made a mistake. I am writing to try to convince you that your course of action in trying to prosecute Josh Renaud and the St. Louis Post/Dispatch is not just wrong-headed but taking our state down a dangerous path.

As a computer security technologist and reporter, here is my perspective. First, the state education website that was identified by Renaud had major security weaknesses as it was originally constructed, because it could easily reveal Social Security numbers. The recent police report documents these were in place for a decade when the site was constructed. Renaud was actually doing the state a favor by identifying this weakness, and the agency was given time to fix this vulnerability before the Post was going to publish his story. Think of it as building a house without a proper foundation.

Second, the county prosecutor was doing the right thing by declining prosecution. There was no crime committed by anyone here, which was further corroborated by the police investigation.

Third, by continuing to refer to the vulnerability as a hack you don’t really understand the nature of either the vulnerability or what hackers or journalists do. The best way for the state to “continue to work to ensure [data] safeguards and prevent unauthorized hacks,” as your office stated, is for journalists and other third parties to uncover these vulnerabilities so that bad actors can’t take advantage of them. As the state agency recently stated, Renaud accessed “open public data” that would be available to anyone.

Your statements about “hacking” is where you do more harm to the state – both perceptually in the greater computer security community and also in terms of journalists who are trying to report on these vulnerabilities in the future. By using the power of your office with promoting these sham investigations, you also make it more difficult for journalists and security researchers to do their jobs in the future when they find other computer security vulnerabilities. As others have already mentioned, numerous tech companies have “bug bounty” programs in place to encourage researchers to find exactly these vulnerabilities that Renaud found and gladly pay them too!

Renaud could have published his story prior to the state’s fixing the vulnerability. But he tried to work with the state agency to fix the problem he found. He acted responsibly and honorably. It is time to admit your mistakes in both your language and intent and thank him for protecting the data of our citizens.

CSOonline: Understanding risk-based authentication

Posted on February 19, 2022 by dstrom

The last time I bought a suit was several years ago, in advance of my daughter’s wedding. Back in the 80s and perhaps 90s, I would wear a suit whenever I travelled or spoke at a conference. These days, not so much on either travel or suit-wearing. I actually bought two suits (whadda deal!) and I was pretty happy with the process until it came time to pay. My credit card was immediately declined. I certainly had plenty of credit limit (I think the total purchase was about $1000) but the algorithms used by my bank kicked back the transaction because it had been ages since I last bought a suit, or bought anything at a retail store for that amount of money.

This process to question my transaction is called risk-based authentication (RBA), and it has become quite common, particularly as criminals get better at compromising our accounts and as we continue to reuse our banking passwords that get phished and posted across the dark web. The banks have gotten better at investing in this tech so as not to have many false positive flags (such as my suit purchase) based on all sorts of factors. In my case, I probably still would have been challenged because I was at a location not close to my home and in a store that I hadn’t been in before. But the RBA can incorporate all sorts of other factors, such as the hardware you are using on your phone (if that is involved in the transaction), whether your typing cadence has changed (such as someone else using your computer or using a clone of your phone number), or a pattern of multiple purchases that were made earlier that day or from “impossible travel” where multiple IP addresses that are located at great distances use the same login credentials (of course, you have to be careful someone isn’t using a VPN here).

Speaking of impossible travel, back when I did travel internationally I had to remember to login to my banks and tell them where I was going. One time I forgot and my credit card dinner purchase was declined. Now most banks don’t need you to do this, thanks to better RBA.

The three credit bureaus (Experian, Equifax and Transunion) have all bought various RBA vendors over the years (41st Parameter, Kount and Iovation, respectively). Both Lexis/Nexis and Mastercard have their RBA tech too (ThreatMetrix and NuData Security). What is interesting about this group is that they handle millions of financial transactions each day, or each hour, so they can spot fraud trends more quickly. RBA has quickly grown from some wonky security tech into the more mainstream precisely for this reason.

This week I wrote a story for CSOonline where I take a closer look at 12 different RBA vendors’ offerings. I have studied these products for years, and am glad to see continued progress in their features and usability. One example is the latest offering from Ping Identity, called PingOne DaVinci. This is an identity orchestration tool that can be used to create automation routines using Visio-like flowchart diagrams. This is a big benefit, because setting up risk escalation scenarios using interlocking rule sets and policies can be difficult to debug.

Avast blog: Avoid fake Windows 11 offers with these tips

Posted on February 15, 2022 by dstrom

If you’ve recently received an email recommending that you upgrade to Windows 12, you probably had enough spidey-sense to delete it. You should realize this is a fake or a come-on for some piece of malware that was about to infect your computer. But what about if you got a message asking you to upgrade to Windows 11? Security researchers have tracked a malicious campaign that made use of a legitimate-sounding “windows-upgraded” domain (don’t worry, it has been neutralized since) which was used to spread RedLine Stealer malware by running a fake installer.

In my blog post for Avast, I describe the scam and ways you can check to make sure you are downloading the legit Win11 upgrade package.

Avast blog: How the IRS can do better with its digital identity program

Posted on February 9, 2022 by dstrom

The US’ tax collection agency, the Internal Revenue Service (IRS), has changed course with its short-lived identity verification system that was only recently implemented. Last November, the vendor ID.me was awarded a $86 million contract to provide the exclusive authentication for all online IRS accounts. Until then, the IRS had its own account authentication service that was based on credit reporting data. The older system was to be phased out this summer.

This week, things came to a head and the IRS decided to ditch their ID.me solution. I describe the chain of events, why ID.me was such a lightning rod, and what are some ways that they can gain some traction and show leadership in the decentralized identity space in my latest blog for Avast here.

Web Informant

David Strom's musings on technology

Category Archives: security