A couple of years ago I wrote about the report that North Korean IT workers were using fake resumes to get jobs as software developers. Once ensconced, they would leverage their position to launch attacks as well as using their salaries to generate hard cash for their government handlers. But a new research report has shown this threat to be even more pernicious, with North Korean digital animators getting jobs working on major motion pictures that will be broadcast on HBO, Amazon, and other outlets.

As I mentioned in my earlier post, this is the ultimate supply chain attack, but the supply is the humans who produce the code, rather than the code itself. The new report is based on a misconfigured cloud server, showing that even North Koreans can make this common programming mistake that is made every day by nerds around the globe. The group working on this server left it wide open for a month, during which time security researchers could download the files placed on this server and figure out the workflows involved.

They learned from the incident how difficult it is for animation studios to vet whether or not their outsourced work ends up on North Korean computers and how these studios might be inadvertently employing North Korean workers. It also demonstrates how hard it can be to have effective sanctions when it comes to our interconnected world.

As you might already know, North Korea doesn’t have very many internet connections by design, because of these sanctions. Typically, an IT shop would have just a couple of connected computers with net access that is carefully monitored by the state. Looks like they need to add “search for unprotected cloud storage buckets” in their monitoring software, just like the rest of us have learned.

What makes this discovery interesting is how far down the workflow food chain these animators operate. Examining one of the images posted by the researchers, shown below, you can see two text annotations, one in Korean and one in Chinese characters. The conclusion is that this was a translation between two teams working on the project: the hidden Korean team that was a subcontractor for the Chinese team. China is often the safe-mode proxy to hide North Korean origins from Western-based businesses, and Chinese businesses that have been discovered to be these go-betweens are eventually sanctioned by our government.

The researchers found work on a half dozen different animation projects that span the globe of video programming being produced for Japanese, American, and British audiences. Some of these shows aren’t scheduled to run until later this year or next. “There is no evidence to suggest that the companies identified in the images had any knowledge that a part of their project had been subcontracted to North Korean animators. It is likely that the contracting arrangement was several steps downstream from the major producers,” they wrote.

Last October, our government updated its warnings about recognizing potential North Korean IT workers, such as tracking home addresses of the workers to freight forwarding addresses, or where language configurations in software don’t match what the worker is actually speaking. They further recommend any hiring manager do their own background checks of all subcontractors, and not trusting what the staffing vendor supplies, and verifying that any bank checks don’t originate from any money service business. They further recommend preventing any remote desktop sessions and verifying where any company computers are being sent, and for workers to hold up any physical ID cards while they are on camera and show their actual physical location.

I am sure that animation studios aren’t the only ones employing North Koreans. The human employment supply chains can snake several times around the globe, and this means all of us that hire IT — or indeed any specialized talent — need to be on guard about all the component layers.

The extreme makeover of a browser as a managed security service has taken a long and tortured route to the present day. And after writing that the technology is “having a moment” last year, there is still new life in it with this week’s announcement by Google of a Chrome Enterprise Premium version that adds some security features.

These browsers can provide a variety of protective features, according to a 2022 blog post from Forrester, such as preventing phishing attacks or malware distribution and data leaks. And that is a good thing, given how easy it is to deploy these exploits.

This is the main reason why secure enterprise browsing is predicted to have a growth spurt by Gartner. They claimed last spring it will be found in a quarter of companies by 2026, more than double its present population. “The technology is still in the early stages of adoption,” the authors wrote in the post, which lays out a multi-phase evolution of the secure browser marketplace that may or may not come to pass. Some of these tools have been available for the past decade, and new vendors regularly appear to try to capture some market share.

But the browser’s complete makeover from a jack-of-all-trades application to a mainstay security tool isn’t going to be easy or effortless. The new version of Chrome from Google will be especially tricky to setup. It comes with a multi-step installation guide that can try even an expert’s patience. This is because its security choices are numerous, and there are many dozens of things to think about and set.

It is available now for all Google Workspace customers and will cost $6 per user per month, with a free 30-day trial period that includes 50 user licenses.

Google’s announcement follows a series of security improvements that Microsoft has made earlier to its Edge browser. Most of these enhanced security features are site-based, meaning you set up specific block lists. The Microsoft browser comes with two settings to make it easier to setup.

However, while Google’s approach is too fine-grained, Microsoft’s is too simplistic. What is needed is a way for corporate security managers to deploy a better browser, without having to rebuild what is the equivalent of a firewall policy rules set from scratch.

Deployment issues with secure browsers

There are several issues with this class of tools. First, secure browsers can have up to four different and non-exclusive operating modes, in various combinations:

• Ones that use remote browser isolation methods, where the browser sessions run in a cloud service,
• Ones that install the browser software on a local endpoint but isolate their operation through the use of various add-ons such as browser extensions,
• Ones that work in conjunction with an on-premises appliance, and
• Ones that are essentially managed services, typically run from the cloud.

For example, the Chrome Enterprise browser mostly relies on the fourth method, while TalonWork (now part of Palo Alto Networks) combines the second and fourth methods. Other products, such as Authentic8’s Silo and Island.io’s browsers, combine all of the methods. “Our platform is 100% cloud based so all code is rendered in a remote container, says Authentic8’s founder Scott Petry. “All credentials, application access controls and data policies are also managed centrally regardless of device, and IT gets comprehensive audit logging of all user activity.”

Why are these different deployment modes necessary? It is because the browser is so versatile and can operate in a variety of circumstances, ranging from controlling some SaaS-based application to viewing dynamic content from a database to managing a collection of remote servers. Having the different modes is a way to extend its utility and still providing a secure envelope in all these situations.

Gartner’s blog post wrote, “The extension ecosystem created by the enterprise browser provides an opportunity for third-party security solutions to be integrated with the browser to strengthen the organization’s overall security posture.” That is true, but it brings up a second point: if a vendor chooses to use a local isolated browser using security extensions, that means they must support code running on all five operating systems (Windows, MacOS, Android, Linux and iOS). This method is falling out of favor because of the heavy development lift to maintain all five versions, and because research from last year has found ways to get around any extensions to distribute malware.

The nature of isolation is not something simple to accomplish, either. Each tool is setup to isolate by application, by destination URL, by user access rights, or a subtle combination of all items. That makes for an inconsistent level of security applied to each browsing session.  And isolation should go both ways: the user’s session and web traffic is isolated from the website, and the website traffic is isolated from the user.

The setup for Google’s secure browser is brutal with using its cloud-based management, such as numerous steps to add encryption, and using specialized OS-specific installation such as mobile management software with more than a dozen steps. The other products make this a bit easier, but there is still a lot of trial and error to ensure that the security isn’t blocking legitimate browsing uses, sites, or corporate applications.

Next, having a secure browser requires integration with other security services, such as Data Leak Protection, Single Sign-On, and URL listing services, among others. These integrations are typically performed through cloud-based APIs that provide the provenance of a particular URL or IP address.

The authentication integration is particularly fraught with problems. This is because for the browser to be secure, users need to identify themselves and present login credentials. That is an initial usability stumbling block for many users who aren’t accustomed to that step for their web browsing. The better secure browsers also turn on multi-factor authentication by default (Google’s doesn’t).

This means that enterprises need to invest “in user adoption testing and training,” according to Forrester’s blog post. “Shadow IT happens when users or teams choose to work around the existing systems being deployed because they don’t meet their needs. If users don’t understand the need for these controls and aren’t consulted on your chosen solutions, they will find ways to work around them.”

Next, there are the details about how each browser images its web content. While almost all the browsers start with Chrome code and make various modifications, that doesn’t mean that each one images every web page consistently. There are subtle differences in the HTML v5 implementations that could prevent access to a particular site or page.

Finally, there is some cost involved. For decades browsers have been free or bundled with the endpoint operating system. Secure browsers will cost something, and even a few dollars a month per user can add up over time and across an entire enterprise population. Gartner said in its blog post, “Free browsers are ubiquitous, to the point that organizations must have specific use cases to justify the purchase of a separate browser.” It remains to be seen if security is that compelling use case.

A new study by Women in Cybersecurity paints yet another dismal picture of the gender gap. This time it dives into its potential causes. The study is based on surveying both men and women across 20 different organizations. Women encounter problems at twice the rate of men, especially when it comes to their direct managers and peer workers. The glass ceiling is still very much in evidence. It is a sad description of where and who we are, including disrespectful and sexually inappropriate behaviors, underappreciated skills and experience, and requests to do menial tasks (she’ll take the meeting notes).

“Organizations have a clear opportunity to significantly boost their financial results and employee satisfaction by addressing these disparities,” said one of the report’s authors. The revenue impact could be significant due to this differential treatment of women and people of color. You would think that would be obvious by now.

I am ashamed about our industry that continues to make this news, year after year. Back in 2013, I attended one of the Strangeloop conferences, which always were notable in how many women presenters they had. I wrote a follow-up piece in Biznology a few years ago, tracking down some of the women that I initially wrote about. I ended that piece with the suggestion that we should follow some people on Twitter who don’t look like you and widen your focus and perspective.

Well, Twitter turned out well, didn’t it? Perhaps follow folks on LinkedIn now. You might want to take a listen to the “bit of fun” Mark Cuban is having at Elon’s expense on diversity, when he was interviewed by Lex Fridman (here is a 35 min. excerpt). He makes some great points on why it works.

Speaking of conferences, it wasn’t all that long ago when attending RSA, you wouldn’t find many women speakers. Last year’s event even had an all-women panel of female all-stars talking about threat response. I guess that is progress.

And in 2016 I wrote about how female engineers were scarce. Back then, I said: “It is time that all companies adapt to a more diverse workforce if they want to succeed. And we need to be on the leading edge in tech.” It is still time.