Network Solutions blog: why are online containers so often unsecured?

In any given week, security researchers discover caches of data on cloud servers that are completely open to the public, usually containing the most sensitive information about a company’s customers. Leaks were found earlier this summer that revealed data coming from Avon as well as from Ancestry.com. This latter leak wasn’t the first breach for Ancestry — it had an earlier 2017 leak here. The problem is simple to describe and appears — at least at first glance — simple to fix. When you initially set up your online storage, you are asked who has access and what rights are accorded to each user. However, developers have hundreds if not thousands of containers to keep track of, and sometimes they forget to lock all of them down.

In my blog for Network Solutions, I discuss how to find these unsecured containers and how to prevent these leaks from happening.

CSOonline: Top 7 security mistakes when migrating to cloud-based apps

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend. There are good and bad ways to make this migration to the cloud and many of the pitfalls aren’t exactly new. In my analysis for CSOonline, I discuss seven different infosec mistakes when migrating to cloud apps.

 

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.

RSA blog: Paying Down your Technical Security Debt

As we begin 2021, one of the first orders of business is to remove some of the quick decisions we made during the beginnings of the pandemic last year. Nowhere is this more the case than with dealing with their technical infosec debt, a term coined by Ward Cunningham decades ago.  It is basically a fancy term for taking the easy route, for cutting corners and saving time by not really looking at the longer-term consequences of certain decisions that could make your IT infrastructure inherently insecure. It reflects the implied costs of reworking the code in your program due to taking these shortcuts, shortcuts that eventually will catch up with you and have major security implications in the future.

You can read the latest in my blog for RSA here.

Avast blog: The dangers of Adrozek adware

Microsoft has found that various browsers are being targeted with ad-injection malware called Adrozek. At the attack’s peak in August, the malware was observed on more than 30,000 devices every day, according to the researchers. The adware, as it is called, substitutes phony search results that when clicked will infect your computer.

You can read my analysis of the malware and what you can to prevent it in my latest blog post for Avast here.

RSA blog: Time to give thanks and review our predictions

It is a bit risky writing about the year’s trends and predictions this time around. Certainly, the Covid pandemic has dominated our lives during the past year and thrown many of our predictions out the window. But re-reading my RSA blog post from a year ago, there are still these two themes which are very much at the forefront: better authentication and the continued rise of ransomware. I talk about these trends about where we are going with the Covid pandemic in terms of better IT security in my latest blog post for RSA here. I will also offer up a few predictions for 2021 too.

RSA blog: Securing chaos to improve overall app design

A large portion of security professionals think that their job is to prevent bad actors from gaining access to trusted resources. Yes, in isolation that is a true statement. But the implications of that position hide what is really supposed to happen. Instead, it is the job of infosec pros to ensure only appropriate actors can access trusted resources. One way this is accomplished is through what is called Security Chaos Engineering, which tests security resilience before some attack happens. It is an evolution of the pioneering work that was first done at Netflix many years ago. Now there are a number of similar products and related practitioners in this field. You can read my blog for RSA here where I describe this practice in detail.

Network Solutions blog: How to defend against web skimming attacks

Magecart web skimming group targets public hotspots and mobile users | CSO  OnlineYour eCommerce website is vulnerable to a variety of threats known collectively as web skimming. The hackers behind these threats are getting better at penetrating your site and installing their malware to steal your customers’ money and private information. And web skimming is getting more popular both with the rising frequency of attacks and with bigger data breaches recorded. In this post for Network Solutions’ blog, I describe how these attacks work, reference a few of the more newsworthy ones and provide a bunch of tips on how to prevent your own eCommerce site from becoming compromised.

 

Avast blog: The rise of the OGUsers hacking group

The hacker’s forum called OGUsers has ironically been a tempting target for criminals, with a series of at least three successful hacking attempts in the past couple of years: Once in May 2019, a second time in March 2020, and a third time just last week. In my post for Avast’s blog, I talk about how this forum came to be and its involvement in a series of earlier hacks that it originated as well as more specifics on the three attempts. And a few suggestions on what you can do to prevent your account data from being compromised.

 

There was no hacking of our elections. Period.

I have struggled trying to write something about the underlying IT of our recent elections without making this overtly partisan or political. So here goes: there was no hacking of our ballots. We had probably the most secure election in our nation’s history. No foreign power changed any ballots. Numerous recounts verified the results. Biden won, fair and square.

Yes, the precise tabulation of votes was off by a few votes here and there. But not enough to change the overall result or who will become our next president. The states that were called for each candidate – including an early prediction by Fox News that Biden won Arizona on election night — remained unchanged.

Sunday night on 60 Minutes Chris Krebs was interviewed about his role in securing our election. Krebs ran the Cybsersecurity and Infrastructure Security Agency for DHS for several years and built up a powerhouse support team for local elections officials. If you haven’t yet watched the segment, please take the time to do so, or at least read the transcript of his interview. He makes it very clear what happened, and more importantly, what didn’t happen. The claims by our president are just pure fantasy.

Krebs reiterates the points made in this November 12th letter signed by various government election officials who have been supporting the underlying security efforts: “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Krebs wrote an op-ed for the Washington Post.

Krebs and his team put together a special website called “rumor control” that is still online. It contains FAQ about rumors and misinformation about our electoral process. We should have similar pages across all government agencies, especially in these times where facts are hard to come by. The Rand Corporation calls this truth decay and how we can’t agree on the facts anymore.

Ironically, many of these rumors were started by our president and his advisors.

Krebs was very accessible on election day, hosting a series of teleconferences with reporters every few hours. It was an odd series of briefings. I kept waiting for the ball to drop but as the day wore on, it was clear that our vote was clean. “It is just another Tuesday on the Internet,” Krebs said at one point. It was clear that he had done his job well, and we should have praised him. Instead, he was fired by a tweet a couple of weeks later.

In the process of writing about elections security for Avast’s blog, I have met and interviewed some of the computer scientists who wrote their own letter. They firmly state that claims about rigged elections “either have been unsubstantiated or are technically incoherent.” This includes allegations about the operations of one of the tech voting machine vendors: there was no wholesale transfer of votes.

Another irony: it is the abundance of paper ballot backups – and the 100M people that voted early and by mail — that made these claims false. Look at the Georgia manual recount. Yes, Georgia has had some tech problems in the past year, documented by this investigation in the Atlanta newspaper. But they ultimately pulled it together for November. Again, their final tally differs by a few votes here and there. There were some counting errors, but those were done by humans, not computers. And more importantly, they were discovered and corrected. The final tally for both candidates increased slightly. But Biden’s victory margin was tens of thousands of votes and remained intact after the recount. What is more impressive is the number of counties where the counts remained exactly the same.

Our elections – and our democracy – worked. Krebs said last night that it is “a travesty what is happening now with all these death threats to election officials. They are defending democracy. They are doing their jobs.” Here is more from another interview where he talks about these threats to a WaPost reporter.