Avast blog movie review: The Social Dilemma

Earlier this month, Netflix started streaming the movie The Social Dilemma. It was first screened at Sundance earlier this year, and now is widely available. Since its release, it has been widely reviewed.

The film combines documentary-style interviews with leading nerds behind Facebook, Twitter, Uber, Instagram, etc. along with star turns from Shoshana Zuboff, Jaron Lanier and Renee Diresta. The thesis is that the social giants have sold us and our data down the river, and we now are stuck with them. The New York Times review is mostly positive, saying the interview subjects are “conscientious defectors from these companies who explain that the perniciousness of social networking platforms is a feature, not a bug.” The best interview subject is Tristan Harris, a former design ethicist at Google who now runs a non-profit called the Center for Humane Technology.

You can read my extensive review of the film on the Avast blog here. The film could be one small step to help understand the role that social media plays in our lives. It could  also help start some conversations with the less tech-savvy family members and friends.

Congradulations: you have been phished!

Phishing scams abound, if my own personal situation is any indication. This past weekend, I received two text messages — technically this is smishing or SMS phishing, but still. One looked like this (don’t worry, it is just a screencap):

You’ll notice a couple of tells. First is that it is addressed to me by name Usually, when my close friends and family send me texts, they don’t include my name. And the fact that a phisher knew my name is a bit concerning. The other is that it contains an active link, just waiting to be clicked on.

I got another text that was slightly less salacious, as you can see to the left. Again, my name is mentioned. Because of the subject, it is more insidious — now that we are ordering almost everything online the packages are coming to our doors in droves. But note this one tell — the package was mailed back in April. Granted, things are slowing down somewhat over at the USPS, but still.

The FCC has issued this warning about smishing with several illustrations. And the crooks are getting more clever, with this case described by Brain Krebs on how one criminal combined smishing with using a cardless ATM transaction (meaning just using a mobile phone for withdrawals) to steal funds from victims’ accounts.

Corporate security folks are trying to get ahead of the attackers, and many regularly conduct phishing simulation or training exercises. Sometimes these misfire. The WaPost reported on a recent phishing training exercise that was completely misguided. The Tribune Co. sent around a message with “Congradulations, executives!!” in the subject line (hence my usage in today’s essay title). The email promises bonuses to come, if only the staffer would click on the enclosed link. Yes, the deliberate mistakes (spelling and duplicate exclamations) and the embedded link should be the tells that something is amiss. Whether you think this insensitive (given the number of layoffs in this industry) or just plain dumb, it still was a poor choice to demonstrate and train users. While it is true that potential phishing messages do use this particular lure, the Trib IT department should have known better.

Smishing isn’t the only lure used by hackers of course. Ironscales has compiled a collection of fake login pages that try to fool people into thinking they are authenticating their AT&T, Apple, Bank of America and more than a dozen other accounts. Their research has shown there are thousands of these fake login pages circulating around online.  Ironically, the email from their PR department announcing this research was flagged by Google as risky, warning me not to click.

So here are a few pointers on how to prevent these types of attacks.

Don’t respond to any calls to action you get via texts or emails. Think before you click on the links or call the phone number listed. Better yet, don’t respond or click or call. This includes sending back a “Stop” text message. Just hit the delete key.

If you feel you have to respond, do it out of band. Go to the Fedex website directly and track your package that way. Call your bank directly to see if you have a fraud alert. Here is a Tweet stream that shows the lengths that one person went through to research and vet one text. My wife got a phishing email recently and did exactly that to find out it wasn’t genuine. 

Finally, is something out of character? Is this a text or email out of the blue from some long-lost correspondent? Or does it contain (one or more) simple grammatical errors?  Or is an offer of money too good to be true? That is because it isn’t. Do you really think the IRS or Social Security Administration sends you texts? News flash: they don’t.

Back to college, Covid-style

As most of you know by now, I live in St. Louis. This is midway between two major rival state schools, in Columbia (Mizzou) and the University of Illinois at Urbana-Champaign. The two schools have markedly different Covid testing policies this semester. I will get to that in a moment, but first, take a look at this dashboard developed by the College Crisis Initiative:

You can see the focus in my metropolitan area of each school and the various policies that have been adopted, ranging from full in-person classes to all-online instruction and various in-between choices. There is a lot of variation among the colleges and universities just on this small portion of the map. This reflects the variation of policies about the pandemic. In my region, we have different policies for mask wearing: a county just south of the city went from masks highly recommended to required to revoking the requirement, all within 24 hours. Such is the toxic mixture of politics and public health, with emphasis quite literally on toxic.

It is certainly a confusing time to be attending college. Mizzou is using a hybrid model: some in-person classes and some online. Each school’s dean makes their own decision. Students are required to report positive tests to the campus health department.

Illinois has gone whole-school testing. They aim to test everyone (including staff and faculty) twice a week, whether or not they show symptoms. They are doing thousands of free tests daily, using a new saliva-based protocol that was developed internally (Yale and the NBA are also doing something similar), with results available in minutes. Students receive results on an app on their phones, which allow them access to classrooms if they test negative. Interestingly, most of their classes are being held online, even though students are living on campus. All this planning didn’t help: students still went to parties and got infected.

Some schools, such as Notre Dame, began their semesters with plans for all in-person but got spikes in infections and then paused these classes to do more testing. The cause appeared to be a combination of large on-campus gatherings of non-mask wearers and two off-campus parties attended by biz school students. I guess the students took to their mirroring of adult life very faithfully.

To show you what shouldn’t be done is the example of Albion College in Michigan. Ironically, it has academic programs to train contact trackers to be hired by health agencies. Last month Zack Whittaker at TechCrunch wrote about a new Covid tracking app from Aura that is being deployed at the college. The app is mandatory for all students and tracks their real-time locations.

If you think you have already heard about Aura, there is another product with this name that is a mood tracker for the Apple Watch. There is also the Oura ring which is another health and activity monitor. But the Albion Aura app is a problem. Like at Urbana, students need to use the app to gain entry to classrooms. If students uninstall the app or don’t share their location with the app, they could be suspended. Its first release contained rookie security errors, one of which was found by one of the college’s compsci students. There is a long list of FAQs on the college website.  I was more confused reading the entries and I can’t imagine what students and parents at Albion might think.

Clearly, we are all feeling our way through these trying times. And the Mizzou link above will take you to a SciAm piece that compares strategies at other schools. If you have a college student in your family, do share your own reactions here about your own perspective.

Avast blog: An elections security progress report

Twelve Tuesdays from today, the US national elections will take place, and infosec professionals are doing their best to adapt to changing circumstances brought on by both the pandemic and the tense cyber-politics surrounding them. More states are expanding mail-in voting and planning the necessary infrastructure to distribute and process  paper ballots. State elections officials are also deploying better security measures, banding together to form the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Membership in the  information sharing and analysis center has grown considerably since the 2018 election.

In this blog post for Avast, I review what is going on with election security since we last covered the topic during the March primaries. There have been numerous events in the past week that have brought new context to the intersection of technology and our elections. And I also mention several presentations given at Black Hat and DEFCON that bring us up to date on what is happening with election security.

If you are unemployed, start rebuilding your personal brand

I am very fortunate: I have worked for myself for decades and have a great collection of clients that keep me busy with plenty of freelance writing assignments. But because our economy is in rough shape, there are lots of folks who are out of work right now. This made me think back to the time in 2006 when I got fired from my last full-time gig, running the editorial operations of the various Tom’s Hardware websites.

It wasn’t the first time I went to work and was told to pack up my things and leave that same day. It is a horrible feeling: you think you are worthless, that you will never work again. That you have failed. I was scared that I wouldn’t be able to make my mortgage payments. I had moved across the country to take that job, and now what was I going to do?

Unlike the astronauts, failure is an option. I wrote about this many years ago, where I described some of my numerous failures in my career, such as my books that didn’t sell or websites that weren’t successful at attracting interest.

I thought of this because I am reading an interesting book by Lauren Herring, Take Control Over Your Job Search. It is all about helping you to find a new job — not that I need to or want to make changes to my current situation mind you. I am very happy with being a full-time freelancer, and thankful that I can work for such great clients. But if you are less fortunate, or if you know someone who has gotten stuck with unemployment, this book might be worth picking up. Lauren is the CEO of a coaching/recruitment firm here in St. Louis.

Sure, there are a lot of job-search books out there. This book has some intersections with three sources: that seminal job searching book What Color is Your Parachute, Elisabeth Kubler-Ross‘ stages of grief and the mindfulness work by Jon Kabat-Zinn. But what I found interesting in Herring’s book is that she addresses the biggest issue of today’s unemployed: your emotional state of mind. Yes, you can fill out all of the Parachute’s exercises and have a sparkling resume. You can meditate daily and figure out whether you are in denial or still bargaining with your newfound unemployment. But if you approach your virtual interviews with a lack of confidence, or too much confidence, or can’t even leave your house without a boatload of fear, you won’t get anywhere. “The ability to notice, understand, and process your emotions is more critical to success and happiness today more than ever before,” she writes.

Herring describes how to respond to ten different emotions (that’s the multi-step Kubler-Ross stuff) of grief, anger, and frustration with ways to respond to them and Parachute-style exercises to get you to discover your own state of mind and ways that you can move through the paralysis towards more positive outcomes (a la mindfulness). Along the way you will be using a group of what she calls your “super team” of supporters to help you role play and arrive at better outcomes and write journal entries of your reactions. “The goal of this book is to replicate the live experience of working with a career coach as best as possible,” she writes.

Take fear, for example.To fight it, she cites several case studies of the jobless that she or her company has coached. “Potential employers can sense your fear about your job search,” which as you might imagine doesn’t bode well to get callbacks or offers. And if you find yourself taking rejection personally and feeling resentful, you need to reset these feelings. For example, you should do some research and find out if you have your facts straight.

One of the more interesting aspects is shaping your personal brand, which is something that I have written about several times, and part of some of my own career coaching presentations. Your brand needs to come through in all your digital elements: LinkedIn profile, your resume and so forth. “This is one of the most uplifting tactics your can do during your job search,” she writes, and a good way to counter some of the negative emotions you are experiencing. Being clear on your brand is a great way to define your next job, and to ensure that your performance once you get that job will measure up to the expectations of you and your manager too. It is great advice for folks who have jobs and want to move ahead too.

One missing element from this book is some specific strategies in these times when we are working from home. While some of her methods can be easily modified and she does mention things like virtual interviews, I think the topic deserves its own special chapter. Perhaps she’ll include this on her website as a supplement.

Avast blog: How to use multi-factor authentication for safer apps

Multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key (shown here) or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access. Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes.

After the Twitter hacks of last month, I took some time to review my own security settings, and found them lacking. This just shows you that security is a journey, and you have to spend the time to make it better.

I go into more details about how to best use MFA to make your social media accounts better protected, and you can read my blog post for Avast here for the step-by-step instructions.

Network Solutions blog: Cost-effective ways to improve your network bandwidth

As more of us work from home, we need to ensure more consistent and better bandwidth connections. By better bandwidth, we mean one or more of three cost-effective methods that can be used to boost your Wifi signal, reduce network latency, and improve your wireless throughput. To figure out which method or methods will work the best for you, there are some simple tests you can perform before you go shopping for new gear, including a new home router or a better Internet provider connection plan. You should periodically test your network bandwidth and throughput to ensure that you don’t have any bottlenecks, and don’t be afraid to change your provider to get something better.

You can read my blog for Network Solutions here.

Turkish tactics with blocking social media

Today in our Congress, the four executives of Big Tech (Cook, Zuck, Bezos and Pinchai) will testify about their business practices. (You can watch this live or on demand here.) I have written previously about Apple’s issues with running its App Store here. ProtonMail’s Andy Yen has nicely summarized things from his perspective — as a vendor that is trying to make a living selling encrypted mail services. If you want a longer exposition, today’s NY Times has this handy reference piece that reviews the major issues.

Sorry to hit you with so many links but I wanted to get all that down. Who knows if Congress will act to fix things with Big Tech, but in the meantime we have gotten a preview with a potent counter-example. This week the Turkish government has issued new laws that are aimed at regulating all social media platforms with more than 1M daily users — meaning Facebook (including its WhatsApp and Instagram networks), Pinterest, Twitter, Telegram and YouTube. Basically, everyone.

The regulations call for each vendor to operate a local office in Turkey and store all Turkish data in a local data center. You can imagine the potential for abuse right there. The staff of each office will also be responsible for blocking content requests from the government, and need to respond within two days or risk huge fines. The new law is supposed to go into effect October 1. For several years, Turkey has been blocking all Wikipedia content — and only lifting this restriction in January. And they have been after Netflix as well, resulting in four productions closing up. Ironically in the US, Netflix has received a boatload of Emmy nominations this week. The Times cites one statistic that the government last year blocked more than 400,000 websites.

I wanted to see for myself what actually has been going on with Turkey, and I went to the various “transparency reports” produced by the Big Tech vendors. No doubt in today’s testimony these reports will be cited several times. The reason why I put them in quotes is because figuring out any meaningful information from these reports isn’t easy, as you might suspect. Each of the Big Four vendors has a different format (innovation is alive and well) that makes it difficult to compare them to each other. But to save you the effort, here are a couple of spreadsheet fragments so you can see for yourself. The quick summary: Turkey is certainly at the top (Twitter) or nearly so of the most requests to block content. For Twitter, as you see in this spreadsheet, the two columns account for removal requests by the courts (which could be politically motivated) and government-based requests, which you can see add up to more than 6,000, roughly a third of the total removal requests sent to Twitter over last year.

Facebook has a similar spreadsheet, and Russia tops their list, but Turkey is in the top 15. Here are  Google’s page of statistics for Turkey. Overall, since 2009, the Turkish government has submitted more than 12,000 requests to remove items. But it is hard to compare them with other countries unless you bring up the separate pages, and when you do that you see different ways to display the data by country that make any comparison impossible. Apple’s page on Turkey can be found here. Again, the design of this report makes it hard to compare countries, but it looks like Germany is the top place to remove content, no matter which metric you use.

Turkey is far from an open democracy, as I am sure you realize. My point here is that while this recent legislation is poorly designed (and will no doubt be challenged and could be modified before it actually takes effect), it should serve as a warning for our government to try to do the right thing, however you want to define that. I wish our Congress a lot of luck, especially trying to do this in an election year. In the meantime, have fun trying to interpret all these numbers and making sense of them.

Network Solutions blog: Tools and tips for best practices for WFH network printing

Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. In my latest blog post for Network Solutions, I suggest several strategies to help you understand the potential threats and be able to print from home securely, including what IT managers can do to manage them better and what users can do to avoid common security issues.

Avast blog: Your guide to safe and secure online dating

Recently, information from five different dating sites have leaked millions of their users’ private data. The sites cover users from the USA, Korea and Japan. On top of this, a variety of other niche dating apps (such as CougarD and 3Somes) had data breaches of their own that exposed hundreds of thousands of users’ profiles in May, including photos and audio recordings. This latter event occurred thanks to a misconfigured and open Amazon S3 storage bucket. Thankfully, the owner of the account quickly moved to secure it properly when they heard from security researchers. We haven’t heard much about dating site breaches since private data from some 30M Ashley Madison users were posted online in 2015.

In this time of the pandemic when more of us are doing everything we can online, dating remains a security sinkhole. This is because by its very nature, online dating means we eventually have to reveal a lot of personal information to our potential dating partners. How we do this is critical for maintaining both information security and personal safety. In this post for Avast’s blog I provide a bunch of pointers on how to do this properly and provide my own recommendations.