Avast blog: Fighting stalkerware

Two years ago, the Coalition Against Stalkerware was founded by ten organizations. Today, Avast is one of more than 40 members, which include technology vendors, NGOs, academia, and police organizations from various countries. The goal of the coalition is to put a stop to domestic violence abuse and cyberstalking. In honor of the coalition’s recent second anniversary, I take a look at the international alliance’s ongoing work and achievements to date in this post for Avast’s blog.

The Coalition has lots of useful resources, including a condensed fact sheet for stalkerware survivors. There are guidelines on how to decide if your devices have been compromised or if there are other ways an abusive partner is stalking your digital life. The fact sheet also contains important information on how to remove such software as well as links to organizations that provide additional support.

Avast blog: The report from the third CyberSec&AI conference

Last week, the third annual CyberSec&AI Connected was held virtually. There were many sessions that combined academic and industry researchers along with leaders from Avast to explore the intersection of security and privacy and how AI and machine learning (ML) fit into both arenas. The conference strives to deepen the ties between academia and industry and this report for Avast’s blog dives into new and exciting work being done in various fields.

One of the speakers was Dawn Song, a computer science professor at the University of California at Berkeley. She outlined a four-part framework for responsible data use by AI that includes:

  • Secure computing platforms, such as the Keystone open source secure processor hardware,
  • Federated learning, whereby one’s data stays under their control,
  • Differential privacy, using tools such as the Duet programming language and public data sets such as the Enron email collection, and
  • Distributed ledgers that can have immutable logs to help guarantee security.

Fighting ransomware will require numerous efforts

Ransomware attacks are becoming more numerous and dangerous. According to a recent conference of European law enforcement agencies, ransomware activities have generated $350 million in 2020, a 311% increase from 2019. The site tracks payments and shows more than $45 million in payouts for the first half of 2021, based on public records of the various ransom blockchain transactions and victim reports. 

A Twitter thread by security researcher Ming Zhao shows the depth of the ransomware marketplace and the variety of actors. The flow of funds from victims to criminals, how their attacks have grown, and how the price of cryptocurrency has influenced their actions are revealed in the thread. 

As remote work continues and expands, better ways to secure workers’ connections to and from the organization’s data, both on the cloud and on-premises, are necessary. The risks are further compounded by the too-human inclinations of remote workers to give priority to completing tasks over best-security practices. It is possible for an employee, for example, to use the same password when shopping online and to gain access to critical corporate data from a home office connection. Among more tech-savvy users who should know better, a software deployment might contain code with vulnerabilities because the developer team opted to meet a deadline while forgoing proper security checks for their code before putting the application into production.

For these remote data-access risks, VPNs don’t cut it anymore. They are based on the incorrect assumption that both sides of the VPN tunnel are secure. Since the pandemic began, more corporate workflows traverse the general Internet where they can be more easily compromised. Anyone in an organization can become a target because attackers are looking for weak points in IT infrastructure. 

Added to these trends, Ransomware as a Service organizations have become popular. They make ransomware easier to deploy and more lucrative to operate. And it isn’t just business networks that attract attackers, either. Internet-of-Things (IoT) devices (such as Nest thermostats and connected TVs) and industrial-control systems are targets, too.

Attackers have gone a step further by compromising supply chains. This is what happened to software from SolarWinds and, more recently, with Kaseya VSA. Ransomware attackers now combine the initial encryption attack with follow-up threats to post stolen data from their targets. Security-services provider Emisoft reported in a survey that 11% of ransomware attacks involved data theft during the first half of 2020, a number that continues to rise in 2021.

The feds are trying to stem this tide, what with a variety of executive orders, a two-day international conclave held last month, and the latest attempt to arrest one of the Russian hackers involved in the Kaseya attack. Oddly, REvil, one of the most pernicious of these hacking groups, took down its infrastructure in July. We say odd because no one knows the cause or the details behind the takedown. Whether or not these efforts bear fruit, taken together, they show that fighting ransomware will require many different initiatives and methods at various regulatory levels. This, combined with a variety of protective technologies and tools, will require careful attention to all details across the entire organization and the entire network — as so many attacks have shown, hackers only need to find one weak link to compromise.

Avast blog: Improving the intersection between privacy and security

At this year’s Avast Data Summit, an internal event primarily intended for Avastians, a combination of Avast leaders and industry thought leaders gave seminars at the intersection of privacy, data, and security.

Many of the topics presented at the event can help you classify, work with, and better secure your data. Following these suggestions can better protect your customers’ privacy and improve your own corporate security profile.

Companies exist in a changing data landscape. There is an evolving collection of data sources and products that are used to produce reports, management objectives, and guide a variety of corporate initiatives such as improving customer experience and product features. The evolution of data means having a group of data curators who determine how trust relationships are determined and what data gets deleted and what is retained. This landscape was illustrated with the below diagram. I cover three main themes from the event: the importance of returning to security basics, understanding the nature of differential privacy, and how to use better tools to measure and improve your privacy and data governance.

You can read my report from the Summit on Avast’s blog here.

Avast blog: Facebook outage: How to prevent your own network failures

On October 4, Facebook was offline for about six hours due to human error. The company states that “configuration changes on our backbone routers” was the cause. In this post for Avast, I’ll explain what happened and walk through the takeaways for running your own business network. Thanks to two Internet protocols, DNS and BGP, Facebook engineers accidentally took their servers offline and prevented their users of WhatsApp and Instagram from operating their apps as well.

A more technical explanation can be found here on CLoudflare’s blog. This diagram shiows the outage of all three services:


Avast blog: Here are OWASP’s top 10 vulnerabilities in 2021

owaspLast week was the 20th anniversary of the Open Web Application Security Project (OWASP), and in honor of that date, the organization issued its long-awaited update to its top 10 exploits. It has been in draft form for months and has been updated several times since 2003, and before its latest iteration, in 2017. In my blog post for Avast, I probe into its development, how it differs from the older lists, and what are some key takeaways for infosec managers and corporate app developers.

The 2021 Top 10 list has sparked some controversy. Security consultant Daniel Miessler complains that list is mixing unequal elements, and calls out the insecure design item as a problem.  “While everyone can agree it’s important, it’s not a thing in itself. It’s instead a set of behaviors that we use to prevent issues.” He thinks the methodology is backwards: “OWASP should start with the purpose of the project and the output you want it to produce for a defined audience, and then look at the data needed.”

Is someone hiding their servers in your data center?

Christopher Naples is on track to become the second most infamous person for bringing his own computer gear to work illicitly. He was recently charged with using more than 40 devices to mine Bitcoin and other cryptocurrencies, connecting them to his office computer racks. Naples is (was) an IT supervisor for the Suffolk County Long Island government. His gear was placed under raised floors and inside unused power panels, clearly to avoid obvious detection. The crypto mining gear generated so much heat that the HVAC folks had to rebalance their systems to cool everything off, costing the county thousands in added electrical power.

His case will now be heard by the courts, and I wish them well in being able to sort out the situation. Mining, or creating new crypto value, is a very energy-intensive operation because it uses very high-end computing gear that draws power. There have been some estimates that the total power consumed by all the worlds’ Bitcoin users is more than the demand by Finland, which has 5.5M people.

I think the case against Naples is pretty solid: this was gear that he was using to enrich his own personal gain. The reason why I say his second place entry in this unique category is because of the case of Aaron Swartz, a computer scientist who ten years ago hid his server in a MIT closet. Swartz was unhappy that an online academic research consortium called JStor was charging for copies of articles to private citizens but granting free access to certain academic users. Hence the location. Over the course of several months, he managed to download millions of articles to his server, which eventually tripped a network monitor and brought a huge federal case of 13 felony charges against him. He killed himself shortly before he was to begin serving a long jail term. (Carl Malamud, who worked with Swartz, documents the situation nicely here.)

A case could be made that Ed Snowden deserves to be on this list somewhere: he did bring USB thumb drives to his office to download various NSA secret documents, although he didn’t leave any gear in his office closet. Unlike Swartz and Naples, his frantic document copying tactics weren’t detected by his employer, which is more ironic given the nature of the NSA and presumably the various scans and network checks that should have been in place to detect this massive effort.

What Swartz, Snowden and Naples to some extent prove is the value of intrusion detection, particularly as it relates to exporting data to a remote network. Of course, now that many of us are working remotely, this brings up special challenges to detect these massive data exports when they are part of the normal operations and not something fishy going on.

You might think that hiding your personal servers at work could be solved by moving more resources into the cloud. But this just makes finding these illicit servers a lot harder to find. There are a number of tools that can specifically search for non-sanctioned servers, but you still need IT staffers to keep track of things.

Avast blog: Instagram bans are now being sold as crime-as-a-service

Cybercriminals are expanding their “services” by offering to ban an Instagram user for the low, low price of $60. This was recently reported by Motherboard, whose research showed that anyone on Instagram can harass or censor anyone else. The notion is actually pretty clever, because the same criminals (and their close accomplices) can then offer a “restoration” service to the victim for several thousands of dollars.

Instagram has a support page that walks you through how to protest a disabled or banned account. It isn’t very good. In my post for Avast’s blog, I mention the issues and what you can do to harden your Instagram account.

CSOonline: How to find the right testing tool for Okta, Auth0, and other SSO solutions

If you have bought a single sign-on (SSO) product, how do you know that is operating correctly? That seems like a simple question, but answering it isn’t so simple. Configuring the automated sign-ons will require understanding of the authentication protocols they use. You will also need to know how your various applications use these protocols—both on-premises and SaaS—to encode them properly in the SSO portal. It would be nice if you could run an automated testing tool to find out where you slipped up, or where your SSO software is failing. That is the subject of this post. You can read more on How to find the right testing tool for Okta, Auth0, and other SSO solutions on CSOonline here.