I am back on Shaun St. Hill’s Tech and Main podcast, this time talking about the benefits and frustrations of using passwordless technologies. There are some signs of hope, particularly with new tools that don’t require you to type in one-time codes but can recognize your smartphone’s intrinsic hardware to help authenticate you. Of course, this means you need a smartphone for every employee.
What has happened in the world of deepfake videos? Since I wrote about the creation and weaponization of them back in October 2020 for Avast’s blog, there have been a number of virtual conferences and new algorithms that have been developed to create these odd pieces of media. There is surprisingly a very bimodal consensus: either the sky is falling and we are all about to be subjects of revenge porn and various misinformation campaigns; or that things haven’t (yet) gotten out of hand and the tech is still in early stages. I will let you be the judge, but will give you a few places that you can start your own research.
One blog post that I read on the ethics of “synthetic media” (that is what the people who write the deepfake algorithms call their work product to make it sound more legitimate) compared the deepfake world with the introduction of the Kodak camera back 130 years ago. Back then, folks were worried about image manipulation by newbie photographers, and whether we could use photos to show anything other than the literal, “real” state of the world. The chicken little scenarios didn’t materialize, and now we all walk around with digital cameras that carry multiple lenses and built-in effect filters that previously were only found on the higher-end pro gear.
Still, there is no doubt that the tech will get better: check out this timeline from one of the deepfake scanning vendors that claims “the technology was developed so fast that now bad actors can create realistic synthetic videos easily.” That perspective was reinforced with this report earlier this summer from Threatpost, which warned that a “drastic uptick in deepfake tech is happening.” There are plenty of deepfake algorithms out there, as Shelly Palmer recently cataloged.
Hold on. Yes, the tech has been developing quickly, thanks to some amazing AI that can deploy huge computing power. But the fakes aren’t really at the point to start wars or create bank panics. Instead, we have seen numerous cyberattacks that make use of synthetic voice recordings (think your boss leaving you a voicemail saying to make a particular payment to a hacker), according to presenters at a June conference.
And many predicted deepfake disasters haven’t really materialized. A celebrated case of a deepfake cyberbullying mom who sent videos to the cheer squad and coach of her daughter’s team turned out to be based on more mundane image manipulation.This could be a wake-up call to have better cyberbullying laws and how to prove these cases too.
I stand with the skeptics (are you really surprised) and suggest you proceed with caution. No doubt as the tech improves the threats will quickly follow, and perhaps we’ll see that happening in 2022. Don’t yet hit the panic button, but instead prepare yourself for potential attacks that could compromise facial and voice ID security measures.
Hopefully the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control. Let me take you through the recovery process and provide some proactive security pointers that you should follow to prevent this awful moment from happening, or at least reduce the chances that it will.
In this post for The Verge, I explain the three different scenarios (a friend borrows your account, someone uses your photo on a new account, or you truly have been hacked) and how you can try to get your social life back. It isn’t easy, it could cost you a lot of time and a bit of money, and there are steps you should take to protect yourself now that will reduce the chances that your account will become compromised — such as removing any payment methods that you may have forgotten about, as shown above.
And if you would rather listen to my descriptions, my podcasting partner Paul Gillin interviewed me on this subject in a recent 16-minute episode.
Two years ago, the Coalition Against Stalkerware was founded by ten organizations. Today, Avast is one of more than 40 members, which include technology vendors, NGOs, academia, and police organizations from various countries. The goal of the coalition is to put a stop to domestic violence abuse and cyberstalking. In honor of the coalition’s recent second anniversary, I take a look at the international alliance’s ongoing work and achievements to date in this post for Avast’s blog.
The Coalition has lots of useful resources, including a condensed fact sheet for stalkerware survivors. There are guidelines on how to decide if your devices have been compromised or if there are other ways an abusive partner is stalking your digital life. The fact sheet also contains important information on how to remove such software as well as links to organizations that provide additional support.
Last week, the third annual CyberSec&AI Connected was held virtually. There were many sessions that combined academic and industry researchers along with leaders from Avast to explore the intersection of security and privacy and how AI and machine learning (ML) fit into both arenas. The conference strives to deepen the ties between academia and industry and this report for Avast’s blog dives into new and exciting work being done in various fields.
One of the speakers was Dawn Song, a computer science professor at the University of California at Berkeley. She outlined a four-part framework for responsible data use by AI that includes:
Ransomware attacks are becoming more numerous and dangerous. According to a recent conference of European law enforcement agencies, ransomware activities have generated $350 million in 2020, a 311% increase from 2019. The site tracks payments and shows more than $45 million in payouts for the first half of 2021, based on public records of the various ransom blockchain transactions and victim reports.
A Twitter thread by security researcher Ming Zhao shows the depth of the ransomware marketplace and the variety of actors. The flow of funds from victims to criminals, how their attacks have grown, and how the price of cryptocurrency has influenced their actions are revealed in the thread.
As remote work continues and expands, better ways to secure workers’ connections to and from the organization’s data, both on the cloud and on-premises, are necessary. The risks are further compounded by the too-human inclinations of remote workers to give priority to completing tasks over best-security practices. It is possible for an employee, for example, to use the same password when shopping online and to gain access to critical corporate data from a home office connection. Among more tech-savvy users who should know better, a software deployment might contain code with vulnerabilities because the developer team opted to meet a deadline while forgoing proper security checks for their code before putting the application into production.
For these remote data-access risks, VPNs don’t cut it anymore. They are based on the incorrect assumption that both sides of the VPN tunnel are secure. Since the pandemic began, more corporate workflows traverse the general Internet where they can be more easily compromised. Anyone in an organization can become a target because attackers are looking for weak points in IT infrastructure.
Added to these trends, Ransomware as a Service organizations have become popular. They make ransomware easier to deploy and more lucrative to operate. And it isn’t just business networks that attract attackers, either. Internet-of-Things (IoT) devices (such as Nest thermostats and connected TVs) and industrial-control systems are targets, too.
Attackers have gone a step further by compromising supply chains. This is what happened to software from SolarWinds and, more recently, with Kaseya VSA. Ransomware attackers now combine the initial encryption attack with follow-up threats to post stolen data from their targets. Security-services provider Emisoft reported in a survey that 11% of ransomware attacks involved data theft during the first half of 2020, a number that continues to rise in 2021.
The feds are trying to stem this tide, what with a variety of executive orders, a two-day international conclave held last month, and the latest attempt to arrest one of the Russian hackers involved in the Kaseya attack. Oddly, REvil, one of the most pernicious of these hacking groups, took down its infrastructure in July. We say odd because no one knows the cause or the details behind the takedown. Whether or not these efforts bear fruit, taken together, they show that fighting ransomware will require many different initiatives and methods at various regulatory levels. This, combined with a variety of protective technologies and tools, will require careful attention to all details across the entire organization and the entire network — as so many attacks have shown, hackers only need to find one weak link to compromise.
This is the deck I am using for an upcoming talk at the St. Louis IAM meetup. I discuss the various trends in passwordless technologies, how the label is somewhat of a misnomer, and what to look for if you are going to deploy these tools across your enterprise.
At this year’s Avast Data Summit, an internal event primarily intended for Avastians, a combination of Avast leaders and industry thought leaders gave seminars at the intersection of privacy, data, and security.
Many of the topics presented at the event can help you classify, work with, and better secure your data. Following these suggestions can better protect your customers’ privacy and improve your own corporate security profile.
Companies exist in a changing data landscape. There is an evolving collection of data sources and products that are used to produce reports, management objectives, and guide a variety of corporate initiatives such as improving customer experience and product features. The evolution of data means having a group of data curators who determine how trust relationships are determined and what data gets deleted and what is retained. This landscape was illustrated with the below diagram. I cover three main themes from the event: the importance of returning to security basics, understanding the nature of differential privacy, and how to use better tools to measure and improve your privacy and data governance.
You can read my report from the Summit on Avast’s blog here.
On October 4, Facebook was offline for about six hours due to human error. The company states that “configuration changes on our backbone routers” was the cause. In this post for Avast, I’ll explain what happened and walk through the takeaways for running your own business network. Thanks to two Internet protocols, DNS and BGP, Facebook engineers accidentally took their servers offline and prevented their users of WhatsApp and Instagram from operating their apps as well.
A more technical explanation can be found here on CLoudflare’s blog. This diagram shiows the outage of all three services:
Last week was the 20th anniversary of the Open Web Application Security Project (OWASP), and in honor of that date, the organization issued its long-awaited update to its top 10 exploits. It has been in draft form for months and has been updated several times since 2003, and before its latest iteration, in 2017. In my blog post for Avast, I probe into its development, how it differs from the older lists, and what are some key takeaways for infosec managers and corporate app developers.
The 2021 Top 10 list has sparked some controversy. Security consultant Daniel Miessler complains that list is mixing unequal elements, and calls out the insecure design item as a problem. “While everyone can agree it’s important, it’s not a thing in itself. It’s instead a set of behaviors that we use to prevent issues.” He thinks the methodology is backwards: “OWASP should start with the purpose of the project and the output you want it to produce for a defined audience, and then look at the data needed.”
