Avast blog: Your guide to safe and secure online dating

Recently, information from five different dating sites have leaked millions of their users’ private data. The sites cover users from the USA, Korea and Japan. On top of this, a variety of other niche dating apps (such as CougarD and 3Somes) had data breaches of their own that exposed hundreds of thousands of users’ profiles in May, including photos and audio recordings. This latter event occurred thanks to a misconfigured and open Amazon S3 storage bucket. Thankfully, the owner of the account quickly moved to secure it properly when they heard from security researchers. We haven’t heard much about dating site breaches since private data from some 30M Ashley Madison users were posted online in 2015.

In this time of the pandemic when more of us are doing everything we can online, dating remains a security sinkhole. This is because by its very nature, online dating means we eventually have to reveal a lot of personal information to our potential dating partners. How we do this is critical for maintaining both information security and personal safety. In this post for Avast’s blog I provide a bunch of pointers on how to do this properly and provide my own recommendations.

Avast blog: Understanding BlueLeaks

Earlier this month, a group of hackers published a massive dataset stolen from various local law enforcement agencies. The data has been labeled BlueLeaks and contains more than 269 GB of thousands of police reports that go back at least two decades from hundreds of agencies from around the US. The reports list private data including names, email addresses, phone numbers and bank accounts. The source is a group called Distributed Denial of Secrets or DDoSecrets, which like Wikileaks has been publishing various leaked datasets for many years.

The data can be easily searched as shown in the screenshot below.

What BlueLeaks shows is that third-party IT providers need to be properly vetted for their internal security methods. While having an easy-to-update website is great, it needs to be secure and all accounts should use multi-factor authentication and other tools to ensure that only authorized users have access. You can read more about the leak and its relevance here in my post for Avast’s blog.

RSA blog: Making the Next Digital Transition Will Require Extensive Security Planning

We are all in a forced march towards a more accelerated digital transition because of the virus. McKinsey is one of many consulting firms who have proposed a 90-day guide towards moving into this brave new era. And while I don’t want to pick on them specifically, their plan –like others of its ilk — is somewhat flawed. It will take more than Zoom and Slack meetings and a corporate subscription to G Docs or O365 to remake our organizations.

“Every remote worker is now a separate risk to the company,” Canadian cybersecurity consultant Andrew Brewer shared with CIM Magazine.. “Each home environment is different, and with so many of them and [the health crisis] happening so suddenly it’s like a perfect storm for companies.”

To make this move successful, we all will have a lot more work to do in planning for this transition. Here are a few ways to begin to frame your thinking:

First have a security-by-design approach to become more digital and to support remote working long-term. We have to stop giving lip service to InfoSec. Instead, we should be thinking about security first and foremost. This isn’t something to wait until the end of a project when the security team will be tasked with another “cleanup on Aisle 6” operation and asked to add  security in after the environment is built. This means involving the entire C-suite at the beginning of the process to lay a solid foundation for a new network infrastructure, a new communications plan and the right kinds of gear for your remote workers.

Second have a better understanding of the sea changes that will need to happen in DevSecOps to support 100% WFH. In a different report, McKinsey says that rapid IT changes “may have created new risks and exposures.” Planning for these risks and modernizing the tech stack may take more than a 90-day project timeline.

Finally, there is the parallel effort to understand the omnichannel approach that will be introduced with a digital-centric business model. The move towards 100% WFH will introduce even more digital channels, which means more opportunity for fraud. Over the years, I have spoken to Daniel Cohen, the Head of Anti-Fraud Products and Strategy for RSA. In his opinion, the way to combat this is to start investing in omnichannel fraud prevention. A more digital operation also means that your cybersecurity attack surface area will increase, so it will take “information security, risk management and fraud prevention teams to work together, says Cohen.

As an example, I offer my purchase of some pants from the Gap. I got them online, but they were too small, so I returned them. I still haven’t received a credit for my return, because the returns are sitting in a big pile in some warehouse, waiting for an employee to sort through them to ensure that I did indeed return the appropriate merch. And this is from a company that has a robust online business. As long as the multiple channels intersect with some human-provided function, you will still have non-digital intersections and collaborations that will need careful planning and attention.

There are many risks and challenges associated with digital transformation in response to the current health crisis. I think they can be conquered, but all will require significant planning to ensure that we manage the associated risk appropriately.

Avast blog: Why is eBay port scanning my PC?

Every week brings more security news and this week is  about an interesting piece of Javascript that can run in your browser if you happen to use eBay under a particular set of circumstances. The code can scan your computer and send information back to a security vendor, which could be used to track your movements across the Internet.

You can read my column for the Avast blog where I explain what is port scanning, what information is being collected, why an eBay contractor is doing it — supposedly to reduce fraud — and how security researchers figured out what was going on.

Avast blog: The latest security trends from Verizon’s annual breach report

Today Verizon published the latest 2020 Data Breach Investigations Report (DBIR). What sets the DBIR apart is that it combines breach data from multiple sources using the common industry collection, VERIS, a third-party repository where threat data is uploaded and made anonymous. This gives the report a solid authoritative voice, which is one reason why it’s frequently quoted by the security community. Report citations also come from vendor telemetry sources, so it is also a bit self-referential.

I look at overall SMB and ransomware trends, along with the declining popularity of malware in favor of more web app exploits. You can read more about these trends in my blog for Avast.

CIO.com webinar: Managing third-party risk in uncertain times

The world of risk management is undergoing some important changes. Security has become everyone’s concern and is not just the province of the IT department any longer. As our businesses become more dependent upon digital technologies, they become bigger targets for attackers to invade our networks and our endpoints. Understanding where our weakest links are located and how to remove them will become essential to ensure the future health and cybersecurity of our enterprises.

The world of risk management is undergoing big changes, some due to uncertain times with the COVID-19 pandemic. In this webinar done on behalf of Security Scorecard for CIO.com, I explore some of these best practices to assess these risks.

Tracking your browsing using HTML canvas fingerprinting

Every time you fire up your web browser your movements and browser history are being leaked to various websites. No, I am not talking about cookies, but about a technology that you may not have heard much about. It is called canvas fingerprinting.

In this post, I will tell you what it does and how you can try to stop it from happening. Beware that the journey to do this isn’t easy.

The concept refers to coordinating a series of tracking techniques to identify a visitor using what browser, IP address, computer processor and operating system and other details. Canvas is based on the HTML 5 programming interface that is used to draw graphics and other animations using JavaScript. It is a very rich and detailed interface and to give you an idea of the data that the browser collects without your knowledge, take a look at the screenshot below. It shows my computer running Chrome on a Mac OS v.10.13 using Intel hardware. This is just the tip of a large iceberg of other data that can be found quite easily by any web server. 

HTML Canvas has been around for several years, and website builders are getting savvy about how to use it to detect who you are. In the early days of the web, tracking cookies were used to figure out if you had previously visited a particular website. They were small text files that were written to your hard drive. But canvas fingerprinting is more insidious because there is no tracking information that is left behind on your computer: everything is stored in the cloud. What is worse is that your fingerprint can be shared across a variety of other websites without your knowledge. And it is very hard once to eliminate this information, once you start using your browser and spreading yourself around the Internet. Even if you bring up a private or incognito browsing session, you still are dribbling out this kind of data. 

How big an issue is canvas fingerprinting?  In a study done by Ghostery after the 2018 midterm elections, they found trackers on 87% on a large sample of candidate websites. There were 9% of sites having more than 11 different trackers present. Google and Facebook trackers appeared on more than half of the websites and Twitter-based trackers appeared on a third of the candidate webpages.

So what can you do to fight this? You have several options

  1. Make modifications to your browser settings to make yourself more private. The problem with this is that the mods are numerous and keeping track of them is onerous.This post gives you a bunch of FIrefox suggestions.
  2. Use a different browser that gives you more control over your privacy, such as Brave, or even Tor. In that linked post I mention the usability tradeoffs of using a different browser and you will have to expend some effort to tune it to your particular needs. I tolerated Brave for about two days before I went back to using Chrome. It just broke too many things to be useful.
  3. Install a browser extension or additional software, such as PrivacyBadger, Ghostery or Avast’s AntiTrack. I have already written about the first two in a previous post. AntiTrack is a stand-alone $50 per year Windows or MacOS app that works with your browser and hides your digital fingerprint  — including tracking clues from your browser canvas — without breaking too much functionality or having to tweak the browser settings. I just started using it (Avast is a client) and am still taking notes about its use. 
  4. Only run your browser in a virtual machine. This is cumbersome at best, and almost unusable for ordinary humans. Still, it can be a good solution for some circumstances.
  5. Adopt a more cautious browsing lifestyle. This might be the best middle ground between absolute lockdown and burying your head in the sand. Here are a few suggestions:
  • First, see what your HTML Canvas reveals about your configuration so you can get a better understanding of what data is collected about you. There are a number of tools that can be used to analyze your fingerprint, including:

    Each of these tools collects a slightly different boatload of data, and you can easily spend several hours learning more about what web servers can find out about you. 

  • Next, assume that every website that you interact with will use a variety of tracking and fingerprinting technologies
  • Always use a VPN. While a VPN won’t stop websites from fingerprinting your canvas, at least your IP address and geolocation will be hidden.
  • Finally, limit your web browsing on your mobile devices if at all possible. Your mobile is a treasure trove of all sorts of information about you, and even if you are using any of the more private browsers you still can leak this to third parties.

 

Watch that meme!

Take a look at the image below. It has been reposted thousands of times on social media.
Jon Cooper 🇺🇸 on Twitter: "Yo, Mister White Racist. If I was you ...

Notice anything odd about it? Perhaps if you are good at sight proofreading, you might catch that the words accommodate and illegals are both misspelled. Now let me ask you another question: where do you think this picture would be posted? On accounts from right-wingers? Perhaps, but it was also posted on leftist accounts as well, with words about “look how idiotic these other guys are.” Sad to say, both sides are getting played: according to Internet researcher Renee DiResta, the image was created by the state-sponsored Russian trolls at the Internet Research Agency. It was carefully crafted to inflame both sides of the political spectrum and as a result was very popular a few months ago.

When we receive items like this in our news feeds, the natural reaction is to click and forward it on to a thousand of our closest Internet friends. But what this small example shows you is to stop and think about what you are doing. That meme could travel around the world in a few seconds, and end up more likely hurting your cause. How many of us have gotten some major bombshell (such as Fox News’ John Roberts saying the Covid virus was a hoax), only to find out from Snopes and other fact-checking places that we were misled.

Indeed, if you do an image search on the “foreign language” patch above, you will likely see a number of different versions: some with the correct word spellings, some with corrections with red overlays, and some with different borders and other small differences. What this shows me is how effective this patch was, and how insidious was its purpose at sowing dissent.

I wrote an earlier post about how to vet your news feed earlier this year. Take a moment to re-read it if you need a reminder along with some tips on how to evaluate potentially fake images and other propaganda. Earlier in April, WhatsApp put a limit on how often viral messages can be forwarded: just to a single person (it used to be five people). That helps, but the social platforms could do a lot more to screen for these abuses.

About ten years ago, I ended one of my columns with the following advice. Watch out for those memes, and take a breath before clicking. You might save yourself some embarrassment, and also not get played by some troll. Some things sadly never change.

RSA blog: Renaissance of the OTP hardware token

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with RSA’s long history of its SecurID one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have been a great business for RSA and lately are undergoing a renaissance with a newfound interest among security managers. In this month’s blog, I take a look at this evolution, why the hardware token is coming back, and what are some of the current trends in multi-factor authentication (MFA) too.

Today’s hardware token has gotten more sophisticated than that original fob that just displayed a series of those OTP random digits. This was partly a necessity, since their use always has been somewhat cumbersome for both end users and security managers alike. (I mentioned this drawback in one of my reviews of MFA tools in Network World in 2013, when I said that “toting around tokens means that they can get taken, and in a large enterprise, hardware tokens are a pain to manage, provision and track.” Still, this review in 2012 mentioned this attraction for using hardware tokens: “They don’t require app developers to rewrite their apps from scratch, and the hardware token provides us with the level of security assurance we want and need. We’ve been carrying tokens around for 25 years; I wonder if they’ll make 50?” I think we can safely say that tokens will have this longevity.

In 2016, several vendors released smarter hardware tokens that came with encryption keys or encryption engines embedded. This made them easier to use, because of push authentication methods that eliminated a few steps. More recently, there have been other vendors who have released hardware tokens that support the Fast Identity Online (FIDO) protocols, so a single token can work with a variety of authentication servers. In the past, each fob was married to a particular server, which meant users had to cart around a collection of tokens if they needed to login to multiple servers and cloud-based services.

As the tokens were getting more capable, the demand for better MFA security was also increasing. Remote workers were on the rise, and earlier this year travel restrictions and flight cancellations because of the coronavirus made remote work more necessary and acceptable. That in turn drove increased demand for better authentication methods such as both hardware and smartphone-based tokens. A good case study is the US Army, which is expanding its MFA coverage to National Guard members and first responders to use hardware and smartphone tokens.

At the same time, this increased demand didn’t escape the criminal world, who began to focus on ways to exploit MFA weak points, especially SMS-based MFA methods. The FBI issued warnings last fall that documented various techniques to bypass MFA methods, including swapping out cellphone SIM cards, using specialty-designed malware to automate MFA phishing schemes and employing social engineering methods to fool users into providing the OTP digits in real time. At the RSA Conference last month, researchers documented new methods to get around the MFA smartphone apps by using outdated phone operating systems, attacks called Android screen overlays that fool users into entering the OTP codes or other compromises to the kernel mobile phone OS itself.

Where do we go from here with deploying MFA? Here are a few thoughts. First, you need to take a step back and craft a solid access and authentication management strategy for your entire enterprise out of whole cloth. You should examine whether every user needs a hardware token and for all their access methods. Instead, focus on the relative risks. For example, tokens are a good idea for those users who handle money transactions, but perhaps not if their jobs are on the factory floor. Next, think about how you handle your partners and customers’ transactions, and how to beef up their logins. Getting hardware tokens registered and eventually revoked to anyone who isn’t a full-time employee is still painful. And also consider whether you should mix and match hardware and smartphone MFA apps, especially when the application circumstances and risk profiles dictate.

Finally, consider how to authenticate cloud apps. Some clouds support standards that make integrating smartphone MFA apps easier, so that might be a better solution. At the end of the day, having more MFA is usually better than no MFA, but it should be deployed intelligently and carefully.

Avast blog: Primary update: Voting issues in Los Angeles and Iowa

Last week Super Tuesday brought many of us to the polls to vote for our favorite candidate for President. And while voting went smoothly in most places, there was one major tech failure in Los Angeles, which saw the debut of new voting machines. Let’s compare what went wrong in LA with the earlier problems seen during the Iowa caucuses.

In our earlier blog, I brought you up to date with what happened with the Russians hacking our 2016 and 2018 elections. But the problems witnessed in Iowa and LA are strictly our own fault, the result of a perfect storm of different computing errors. For Iowa, the culprit was a poorly implemented mobile vote count smartphone app from the vendor Shadow Inc. For LA, it was a series of both tech and non-tech circumstances.

I go into details about each situation and what we’ve learned in this post for Avast’s blog.