Avast blog: Just because your iPhone is powered off doesn’t mean it can’t be attacked

Did you know that even when your iPhone is turned off, some of its components are still getting power? Researchers have found this to be one of the reasons why a new attack vector can operate without your knowledge. The issue lies with the iPhone’s Low Power Mode (LPM) and the fact that while using this functionality, certain communications chips continue to operate. Apple’s LPM features were introduced as part of iOS 15 and enable things such as Find My Phone, which can continue to track and function when a phone is turned off. You can find out more about this, and how it stacks up with air-gap research and NSO’s Pegasus, in my latest blog for Avast here.


CSOonline: How to choose a certificate management tool

Many years ago, Madonna sang about sharing her secrets with us. While the IT version may not be as entertaining as what was discussed in that song, there are still important reasons to understand your corporate encryption secrets and how they are provisioned, managed and deployed. The tools to do this go by various monikers, including SSL/TLS certificate or key management tools, machine identity management, or PKI as a service.

These secrets are found all over the IT map, including those for servers, for applications, to encrypt your email messages, for authenticating to connect with IoT devices, to allow you to make edits to a piece of code, and for user identities to have access to a particular shared resource.

cso email security suites table

I mention the above products and some of their important features, along with other aspects  about how to manage your certs in my post for CSOonline here.

Avast blog: How to make a successful transition to a hybrid work schedule

Employers should migrate to a hybrid environment only after building a solid foundation to support remote workers. As Covid-19 pandemic restrictions have eased, employers are adjusting their work-from-home policies. Some companies, including Airbnb, have doubled down and made substantial commitments to remote working. Others, like Google, have begun to shift to more in-person and hybrid office policies. This range just among the two tech giants is an example of the different possibilities being considered by other employers. According to a 2017 Gallup poll, 43% of U.S. employees worked remotely all or some of the time.

Part of the reason for this difference has to do with how all of us have adjusted to working in the face of the pandemic. I explain more in this post for Avast’s blog.

The changing digital business climate in India

Late last month the Indian CERT issued a ruling directed at improving its breach security. The ruling has some big impact in terms of limiting the privacy of its computer users, and how digital business is conducted there. The news has centered around its effect on VPN operators, but the ruling also affects data center providers and “intermediaries,” which could be any ISP or indeed any digital business that has Indian origin. The ruling isn’t final but is supposed to go into effect next month.

— First, businesses must notify the CERT within six hours of any breach or security incident, and provide any system logs that have to be maintained for six months. These incidents are described across a wide collection of situations, including website defacement, identity theft, DDoS, data theft, wholesale port scans and other attacks. The six-hour window is a pretty tight one, and other geographies have much longer notification periods (The EU’s GDPR is 72 hours for example.), and in some cases, businesses may not even know of a breach during that short time period.

— Second, digital businesses must collect log a variety of user data, including valid names, IP addresses, public encryption keys, emails, physical address and phone contacts. CERT requests that any vendor keep these logs for up to five years. The businesses specifically mentioned in the ruling include remote access vendors, VPN operators, cloud providers and data centers. But it could apply to any company that has a bunch of programmers in India, which is certainly a common situation for perhaps most large international companies.

The actual logs are being collected to enable the CERT to reconstruct individual transactions so they can identify the parties involved. That is a tall order, because it assumes that businesses will have to collect a lot more data about their customers than they have done previously.

As you might imagine, this has thrown many businesses into a tizzy, because of the onerous provisions in this ruling. What is curious is that the role of India’s CERT has moved beyond its lane, which is typically the national agency (our CERT which began its operations in Pittsburgh) that handles breach reporting and makes recommendations when they are observing increases in computer attacks.

The five-year log collection period is what I want to focus on. As I said at the top of this post, the news has mostly focused on VPN providers, and indeed they have reacted with some trepidation. Some have said they might have to forgo their Indian operations. “Forcing VPN providers to track user traffic and their private data is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers,” said Artur Kane, the CMO at VPN provider GoodAccess.com.

The data retention piece of the regulation is also an issue. Part of the issue, as I mentioned in my earlier reviews of VPNs, is that figuring out data retention policies and practices is very difficult, and almost every vendor has problems here. But there is another side as well: “Asking VPN vendors to retain this amount of customer data is without precedent in democratic countries” Kane said.

Many VPN providers have claimed “no logs” as part of their marketing strategies. This is almost as ridiculous and nearly unprovable as their claims for “military-grade encryption.” CNet wrote this piece a few years ago about why you should be so skeptical about these claims — there are numerous types of logs, and numerous ways to collect and dispose of this data. “No matter how much we trust any particular VPN to help mask our internet browsing, it’s virtually impossible to verify whether a VPN truly keeps no logs,” they wrote. I agree. If you want to research this further, read this analysis by Consumer Reports on how many VPNs keep local logs (on your own machine).

While getting better intelligence about cyber attacks is important, the way the Indian CERT is going about this is wrong-headed, and perhaps will prevent many companies from continuing to do business in India.

Avast blog: Top MFA myths busted

Today is World Password Day. Ideally, every day you should take some time to improve your password collection, and the best way to do that is to use MFA. But for all of its utility, MFA still has its resistors. If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths in my latest post for Avast and hopefully help you convince folks to get onboard.

Avast blog: The U.S. government wants to expand the use of social media for visa vetting

For the past several years, millions of foreign visitors and potential immigrants entering the US have divulged the contents of their social media accounts to the US Department of Homeland Security (DHS). This requirement is part of the Visa Lifecycle Vetting Initiative (VLVI) that began in 2014 and has been expanded in 2019.

You can read more about the evolution and dangers of this program in my post for Avast’s blog here.

CSOonline: How to choose the best VPN for security and privacy

Enterprise choices for virtual private networks (VPNs) used to be so simple. You had to choose between two protocols and a small number of suppliers. Those days are gone. Thanks to the pandemic, we have more remote workers than ever, and they need more sophisticated protection. And as the war in Ukraine continues, more people are turning to VPNs to get around blocks imposed by Russia and other authoritarian governments,

A VPN is still useful and perhaps essential to a modern mostly remote workplace. In this post for CSO, I describe these scenarios, what security researchers have found about how VPNs leak data or have other privacy issues, and what you should look for if you intend to deploy them across your enterprise.

Avast blog: Introducing important changes to credit card data security standards

The Payment Card Industry Data Security Standards (PCI DSS) organization has made a series of updates to its standards with its latest version 4.0. It contains several important improvements, perhaps the most important change is the expansion of encryption and MFA requirements to protect all accounts that have access to cardholder data. I describe these developments in my post for Avast’s blog here.


More on the Pegasus Project

Since I last wrote about the NSO Group’s Pegasus mobile spyware last summer, there have been several new developments that show just how insidious the software is and how pervasive its use around the world.

Pegasus can be placed directly onto a target’s smartphone without any user interaction and can then start tracking a phone’s location and operations. Last year a consortium of journalists revealed who was using the spyware after doing extensive forensic research on dozens of phones. This resulted in the US Commerce Department putting NSO on a block list, the DoJ beginning investigations and Apple suing the company. Then we saw two developments from last December: first, Apple notified a bunch of US State Department employees in Uganda that their phones have been hacked. And Pegasus was found to be used to track Jamal Khashoggi and residue was found on one of his wives’ phones.

There were other reports that the FBI had tried out Pegasus but didn’t actively use it, or at least not that anyone could prove. And that a security researcher had decompiled several code samples and documentation.

Just recently, the Citizen Lab — one of the research groups involved in last summer’s project — found more cases of Pegasus used on dozens of Catalan phones, probably at the direction of various government entities in Spain. One of the researchers found a previously-unknown iOS zero-click exploit. The more we find out about Pegasus, the more I am convinced this tool spells trouble.

Again, I want to emphasize that your chances of getting infected with Pegasus are very, very low. But it does seem to crop up frequently enough, and now in places that you would think would be curious as they are free, democratic countries. NSO representatives continue to maintain that they carefully vet their potential customers and say its software is intended to investigate terrorists and potential criminals. But given that its residue has been found on phones of political figures, journalists and human rights workers, I wonder how careful this vetting process really is.