Nok Nok blog: 10 Years Later – How Nok Nok Labs brought about a change in strong and passwordless authentication

Nok Nok Labs came into being, a decade ago and is having its’ moment in the spotlight. The company has seen the FIDO standards become adopted around the globe, in some cases with very large scalable deployments that involve millions of end users and sold more than 500M key pairs. Along with helping to assemble the beginnings of the FIDO Alliance, Nok Nok engineers were co-creators of this now well-established set of authentication standards and have continued to innovate (with 50 patents filed), integrate and improve upon them in the past decade.

They are now one of the leaders in providing passwordless authentication, which now signifies a bona fide market segment, all thanks to FIDO protocols which make it easier for companies to transition, deploy, and manage a more secure solution that is focused on stronger security and privacy.

You can read my post on Nok Nok’s blog here.

Avast blog: Understanding the Pegasus project

Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth. In this blog post for Avast, I explain the collaboration, link to various media reports about what they found out, and ways that you can protect yourself — although the chances that you will become a target of this spyware are pretty slim.

Avast blog: Enhancing threat intelligence using STIX and TAXII standards

For many years, cybersecurity companies have invested in building sensor networks and detection capabilities to build a greater understanding of adversaries’ tactics, ever-changing techniques, and the threats posed to the world’s internet community.

One of the critical foundations of protecting all uses of the internet is for the security defenders to better understand what malicious activities look like and how to stop them. With that backstory of gaining greater insight, many security companies must not only understand their own data but also learn and share with others doing the same.

In my latest blog post for Avast, I take a closer look at two threat data sharing standards, STIX and TAXII.

Linode blog: Three app security guides

I have written a series of blog posts to help developers improve their security posture.

As developers release their code more quickly, security threats have become more complex, more difficult to find, and more potent in their potential damage to your networks, your data, and your corporate reputation. Balancing these two megatrends isn’t easy. While developers are making an effort to improve the security of their code earlier in the software life cycle, what one blogger on Twilio has called “shifting left,” there is still plenty of room for improvement. In this guide, I describe what are some of the motivations needed to better protect your code.

Many developers are moving “left” towards the earliest possible moment in the application development life cycle to ensure the most secure code. This guide discusses ways to approach coding your app more critically. It also outlines some of the more common security weaknesses and coding errors that could lead to subsequent problems. In this post, I look at how SQL injection and cross-site scripting attacks happens and what you can do to prevent each of them.

Application security testing products come in two basic groups and you need more than one. The umbrella groups: testing and shielding. The former run various automated and manual tests on your code to identify security weaknesses. The application shielding products are used to harden your apps to make attacks more difficult to implement. These products go beyond the testing process and are used to be more proactive in your protection and flag bad spots as you write the code within your development environment. This guide delves into the differences between the tools and reviews and recommends a series of application security testing products.



Avast blog: Should you just walk away from Amazon’s “Just Walk Out” tech

If you’ve been following Amazon’s move towards having physical storefronts, you probably have seen the news about a series of different types of retail stores they have created, including bookstores, grocery stores, general merchandise stores, and shops selling prepared food. Add to this along with the fact that they’ve owned Whole Foods Markets for the past four years. In my blog post for Avast, I take a closer look at the way that these Amazon outlets collect customers’ money, how they access their data, and some of the privacy implications tied to Amazon’s “Just Walk Out” technology. These stores and technology take the collection of shopper data to the next — and perhaps creepier — level.

Finding the right VPN isn’t so simple

Never has some imperfect corporate memory been so public before now. In recent testimony before Congress, the CEO of Colonial Pipeline admitted they had forgotten about an old VPN connection that the hackers had found and exploited. “It was an oversight,” he said. I was amazed at this revelation. Yes, we all forget about things, but this was a biggie. You might recall that a few years ago Avast had an unauthorized access to an unused VPN account.

This reminded me of my own “oversight.” Turns out I had created a second user of my password manager, something that I had setup years ago and never used. This username didn’t have the appropriate password and multi-factor protections. Even within my small company, it is easy to lose track of things.

But being forgetful is just one of several different VPN problems. If you are going shopping for a VPN, you need to consider this. Some VPNs have very good digital memories and are keeping track of your digital movements, even though they claim not to log or store your data. This could be caused by the vendors who are deliberately harvesting their customers’ data. If you aren’t paying for your VPN, chances are good that is how your VPN vendor is making money.

There is another issue, that some VPNs aren’t very well constructed and contain coding errors or make use of sub-standard encryption protocol implementations. This happened several years ago, when hackers found their way into NordVPN, TorGuard and VikingVPNs. PulseSecure VPN has had its share of problems for several years, including a recent hack that enabled back doors.

Some VPNs have the potential for leaking DNS data and IP addresses of their users. Last year, a series of reports were published (one by VPNcrew, the other by VPNmentor), that demonstrated that potentially 20M users have had their private data leaked in this way.  Not helping matters is that some of the VPNs deliberately hide their corporate ownership details to disguise the fact that they have shady origins.

So how to fix this? First, find out if your VPN vendor has paid for an independent audit. McAfee’s TunnelBear, for example, does regular security audits of their code and publishes the results. My VPN of choice is ProtonVPN, which also publishes its audit results and takes things a step further by publishing its source code too. There are other open-source VPNs too.

Second, you should understand the testing rubics that the major computer publications use in their VPN ratings. If you are ready for a deeper dive, here is a detailed explanation of how rigorous your tests need to be and suggestions for testing tools. There are various tests including the DNS Leak Test and the IPLeak test. If you want to do these tests yourself, compare the output when not using any VPN to what they show when you turn on the VPN.

And you might want to review your own infosec posture, and track down “forgotten” accounts that you have created that have fallen by the wayside. You never know what you might find.

CSOonline: CSPMs explained

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

I discuss the importance of CSPMs and what you need to know to evaluate one of them for your particular circumstances in my CSOonline post.


Avast blog: Reimagining staffing in the cybersecurity industry

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA’s State of Cybersecurity 2021, Part 1 report contains the organization’s update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years.

You can read my analysis of their report here on Avast’s blog.

Avast blog: Time to walk away from Amazon’s Sidewalk

Amazon is releasing a new service called Sidewalk, which allows people to share their wireless network with their neighbors over a low-power Bluetooth mesh network. If you want to read more, The main benefit would be expanding the WiFi coverage for low bandwidth devices.  Amazon explains that Sidewalk would enable outdoor devices such as security cameras and smart lamps to stay connected even when wifi connection is lost as they are often at the edge of a home’s wifi coverage.  Additionally, this service can be used for Tile trackers to locate valuables.  While the service is free, there are serious privacy concerns. I’ll tell you why you should walk away in my latest blog for Avast here.


CSOonline: Hacking 2FA: 5 basic attack methods explained

Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice. As Roger Grimes wrote in this article about two-factor hacks three years ago, when MFA is done well it can be effective, but when IT managers take shortcuts it can be a disaster. And while more businesses are using more MFA methods to protect user logins, it still is far from universal. Indeed, according to a survey conducted by Microsoft last year, 99.9% of compromised accounts did not use MFA at all and only 11% of enterprise accounts are protected by some MFA method. The pandemic was both good and bad for MFA uptake. I explain more about this, and touch on five ways that MFA can be compromised.

You can read more of my blog post for CSOonline here.