The European Commission enacted its Digital Services Act last November as another step in its efforts to regulate online services and platforms. Most of these regulations take effect next February, but some will require many European businesses — and others that have customers on the continent — to meet the first deadlines next week. Once again, Europe is moving further ahead of the U.S. in terms of privacy protection and forcing online businesses to be more transparent. This began with the General Data Protection Regulation five years ago and continues with the implementation of the DSA. More about this set of new regs in my latest post for SiliconANGLE here.
SiliconANGLE news: Preventing MFA Fatigue, New IoT compromise attacks
Two new analysis blogs for SiliconANGLE this week:
- Preventing MFA Fatigue.There is a new wave of infections spreading throughout the world that has nothing to do with COVID or, for that matter, any other physical disease. Called multifactor authentication fatigue, it’s highly contagious and spreads through the deception of determined hackers who want to steal users’ account details. But here is the irony: The more MFA a company uses, the greater the chance that a potential MFA fatigue attack will succeed.
- Codesys IoT vulnerability discoveredMicrosoft security researcher Vladimir Tokarev demonstrated an interesting attack on the industrial internet of things automation software called Codesys. Tokarev, who showed the exploit last week at the annual BlackHat security conference in Las Vegas, used a miniature elevator model to demonstrate how the attack could crash its cab. The software – and more importantly, its software development kit — is widely used in millions of programmable logic controller or PLC chips that run everything from traffic lights and water treatment plants to commercial building operations automation and energy pipelines.
A cautionary tale about elections security
If you believe the 2020 elections experienced massive fraud, or that electronic voting machines were running some software from space, then please skip this post. If you believe otherwise, then I would urge you to read my thoughts.
I was party to a massive elections fraud back in the 1970s, when I lived and worked for the city of Albany NY. Albany at the time (and still today!) was under the grip of a powerful Democratic machine, and as a city employee I was told as election day approached that I will vote, and that I will vote the Democratic party line. If I didn’t show up, or if I strayed into supporting GOP candidates, I would lose my job. Whether or not everyone’s votes were being monitored, I wasn’t going to risk it, especially as this was my first job out of college. I can’t prove anything, and my recollection might be fuzzy, but there was no denying that the city spent decades in the iron grip of this political machine.
I am telling you this because I have spent a lot of time researching voting fraud over the past several years, and can tell you that our elections have come a long way since my Albany days. I based this on first-hand knowledge, having spoken to IT managers at state offices, election researchers, and others who are in the know. Let me first present a few links for you to establish some bona fides.
First up is Alex Halderman’s analysis of the 2020 voting irregularities in Antrim County, Mich. This was the scene of numerous recounts — five of them — and the source of a lot of conspiracy theories. If you read Alex’s paper, you will see that many of these theories were easily explained by more obvious error sources, namely humans. I have met Alex in person and interviewed him on this topic and he is a very sharp guy. His paper concludes: there is “strong empirical evidence that there are no significant errors in Antrim’s final presidential results, including due to any scanning mishap.”
Copies of the voting machine software eventually found their way to Mike Lindell and his bogus “CyberSecurity Summit” that he held in South Dakota in the summer of 2021. One of the attendees at that conference was a long-time colleague Bill Alderson. He was interested in getting the promised reward of $5M to prove voting irregularities. You can watch Bill’s interview with local TV news where he unequivocally states that the data claimed by Lindell was a nothing burger (he had more colorful language when I spoke to him this week). In other words, there was no fraud, no evidence, nada. Bill never got a dime for his troubles, BTW.
There was several other county voting offices who were invaded by so-called security analysts looking for fraud. But they ended up doing their own fraud — and are now being charged for this by various legal efforts. These folks obtained copies of similar machine software and vote tally data cards. One of these locales was Coffee County, Geo. The AP ran this story about what happened last September and there was plenty of video footage, along with the data cards shown in the photo below that were given to these analysts. (Here is an excellent analysis from Lawfare too.)
As the 2020 election was happening, I was part of the CISA press group who was on the phone interviewing various officials on November 3rd. Granted, CISA had their own horn to toot, but from the evidence that I saw, the election happened without any major troubles. Yes, Chris Krebs lost his job shortly thereafter, which should tell you something about his integrity.
One lie that I hear often is the manipulation of mail-in ballots was done in a such way to swing the vote totals. Here is another data point: Colorado has been running universal mail-in ballots (meaning every registered voter gets one by mail, whether they want to use it or not is up to them). For years they have running fair and accurate elections. Neither major party had a problem with that, until the more recent elections. Here is a link to their info page, just to give you an idea of what they do. (Many states have had pre-Covid universal mail-in operations, BTW.)
Now, I warned you — here comes the hard part for me to write about. We are approaching a very dangerous time in our country. There are many people who believe this massive voting fraud happened, despite various genuine IT consultants’ evidence to the contrary. I am not here to try to convince them of the error of their ways.
But let’s talk about something that I find even more distressing. Please check out this recent Politico post on what happened last week at the Vegas BlackHat conference. To provide some context, each year this hacking event features various “villages” where a bunch of attendees come to try to break stuff, in this particular case voting machines. (I wrote about the 2020 election village DEFCON event for Avast here.) Given the state of our society right now, this year they put on some extra physical security for the event. And if you believe Politico’s reporting is accurate, it is very chilling to see.
By now many of us have heard about how elections officials have been threatened both at home and at their offices. According to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77% said those threats had increased in recent years. Many have quit the field entirely.
That is bad enough, but now these threats have blossomed beyond the folks running the elections to include digital security researchers that are looking into election and voting-related matters. And I am thinking about my early Albany experience. Yes, we have issues with vote counting and certainly there is plenty of mistakes made over the years. But to annoy and threaten the people who in many cases volunteer their time and do their civic duty and claim they have evil intent, just because the election didn’t go your way is a horse of a different color.
Where do we go from here? I don’t know. But thanks for reading this far.
SiliconANGLE: New reports show phishing is on the rise – and getting more sophisticated
Two new reports on phishing trends show a rise in attacks, and they’re taking more complex paths through the internet to connect victims with malware-laced websites. The trends are highlighted in Cloudflare Inc.’s annual phishing trends report released today, as well as the latest compendium of phishing trends by the Interisle Consulting Group. I go into details about both of them, and what the implications are for defenders and users, in my latest analysis for SiliconANGLE.
SiliconANGLE: Mitigating the latest processor attacks will be a chore on many levels
The names Downfall, Inception, Meltdown and Spectre might evoke the names of Bond villains, but they describe something almost as insidious: They are all central processing unit-based security vulnerabilities that have been uncovered in the past several years.
Each of them — the first two most recently and the last two harking back to 2018 — involves very specific attacks on hardware-level commands of various chips made or designed by Intel Corp., Arm Ltd. and Advanced Micro Devices Inc. All have required or will require patching with operating system updates and chip firmware updates. My story for SiliconANGLE goes into the details of each one and how they can be mitigated.
SiliconANGLE: Rapid7’s security chief Jaya Baloo: Break up silos to lock down cybersecurity
Not many chief security officers will point out not one but two times they took a job while their companies were under attack. But this is what happened to Jaya Baloo, who is now chief security officer at cybersecurity provider Rapid7 Inc. Even more interesting, she considers both times — which happened at two different companies — career highlights. She has a lot more to say in this profile for SiliconANGLE,
Lotsa news this week for SiliconANGLE
I have been busy writing for them this week, and since there is Black Hat and DEFCON in Vegas, there is a lot of news to share. Here is a recap of what I have posted.
- F5 announces new mobile app security protection
- Two new cybercrime takedowns show the global nature of these criminals and the effort involved in bringing them to justice.
- Google has promised its latest Android v.14 mobile OS will have some new security features. That is the good news. It will take time to percolate throughout their ecosystem, it is just for enterprise users, and you’ll probably need a new phone.
- The EvilProxy malware construction kit makes it easier for phishing attackers to ply their trade, and there has been a rise in such attacks according to Proofpoint telemetry. I do cite an interesting case of how Discuss (the vendor behind the popular software tool) took these MFA bypass threats to heart and spent the last year or so upgrading its authentication to using Yubico FIDO2 hardware keys.
- A new report examining the results of millions of threat simulations using Picus tools found there is plenty of room for improvement — not surprising. But the comparative analysis is worth reading in my post.
- If you think you are safe from your keystrokes being stolen, this article that shows the sound of your typing can be used to re-create your text under some extreme circumstances.
- CISA has issued warnings about malicious boot loaders taking control over UEFI firmware. Sadly, getting to the root of the problem (sorry) isn’t going to be easy.
- Finally, last week I wrote a nice analysis piece about the progress of payment tech. There has been a lot of progress since I first started covering this market sector back in the 1990s.
The trouble with Bob, a typical small businessman with tech issues
Small businesses have so much trouble with their IT support, especially if they are really small, have been around for a long time, and have owners that have just enough knowledge to know that they can do better. This was brought home to me with a nearly hour-long call with a friend of mine whom I will call Bob. Bob has four full time staff and several part timers, and has been in business for decades. We go back to the 1990s and have remained in touch, and he has called me for help on numerous times over the years.
I don’t mind being his IT support guru, and hey, I get to write this column as a result to share his pain with you. Let’s dive in.
Bob has several problems that he revealed by peeling layer by layer during our conversation. First was an aging Mac, and by aging I mean of late 2015 vintage. It is too old to run the current MacOS, a situation that I am all too painfully aware of myself. More on that in a moment. Then he needs a new printer. And what about his website? That has been down for some time, thanks to a variety of things.
And for DNS nameservers he is still using a friend from the dawn of the internet who has his own business to run — and the friend sometimes forgets that Bob’s email depends on him when he upgrades his servers, which will happen from time to time over many years. Bob is fearful about making any changes without understanding what he is doing. Oh, and by the by, his emails are getting blocked because he hasn’t set up DMARC/SPF et al. properly. And by properly, I mean he hasn’t set any of this up at all. And could his issues be due to a bad DNS entry somewhere? Perhaps.
Bob is typical of many small business people. They aren’t computer experts, even though Bob certainly knows his way around the tools mentioned above. But Bob has several things working against him:
- As he reminded me, I once told him his problem is that he takes really good care of his gear, but then hoards it way beyond the sell-by date. I am alot like him in that regard: last year I bought a Mac Studio that replaced a ten-year old Mac Mini. But the longer out you go with your gear, the harder it is to replace it. It took me months agonizing about this decision, so long that I missed several product review opportunities because I couldn’t run modern applications. Bob just wants to get his work done, he isn’t using anything special. Just old.
- He likes the all-in-one iMacs. I don’t: if you have to upgrade, you have to toss the whole unit out. Much better to have a separate monitor, and to have a system that you can add parts to it as needed. He does max out on memory when he buys his gear, which is a good strategy. But that 2015 vintage is time for the donation bin.
- He has multiple suppliers for his online presence. Having one ISP as his registrar, another one for his email, another for his website, and probably a few others for bits and bobs isn’t a good situation. I have two major ISPs: one for my registrar (GoDaddy) and Pair.com for my content (email lists, website). Make that three ISPs: I also use Google Workspace for my regular email functions. See how hard it is to keep track? As for Bob, his friend from the dawn of the ‘net is now ghosting him, and he doesn’t know what to do.
- He set a lot of this up years ago, back when things were simpler. That means his security exposure is a lot greater. Take the DMARC/SPF issue. It took me about six months and lots of help (in my case from Valimail) to get this working properly. Bob is frozen in indecision about how to even start on this particular project.
- He likes to have vendors that he can call up on the phone and talk him through things. I do too — that got me into trouble when my ISP died from Covid. He was a one-man operation, but once he was gone there wasn’t anything there. The trick is finding a company that prides themselves on good phone support. I am happy to report that Pair does a terrific job in this regard.
Bob will eventually figure this stuff out, get the right gear, and bring his operation at least into the 2020s. But all of this takes time away from doing productive work that generates income for his business. And that is the rub that many smaller businesses have to deal with: they aren’t IT specialists, and they don’t want to be. I don’t have that excuse: I have to play an IT guy on TV, or at least on the internet, every day.
SiliconANGLE: What’s behind the never-ending rise of online payment technologies
Amid the ups and downs of e-commerce over the years, online payment technologies continue to evolve and thrive — and lately they’re nothing less than a thriving scene of continued innovation and transformation, thanks to a series of converging trends and a continuing series of corporate acquisitions.
This progress has been helped by several factors that I get into in my post for SiliconANGLE today.
SiliconANGLE: PhishForce: New phishing attack involving Salesforce and Facebook uncovered
A new, unpatched exploit called PhishForce that involves a sophisticated email phishing campaign has been discovered by security researchers at Guardio Labs. The targets are Salesforce Inc. customers, and the threat involves spoofing the company’s email servers and domain names. The process of finding and fixing the issue reveals a lot about how security teams can work together to fight phishing. My post for SiliconANGLE is here.
–