Avast blog: The latest challenges to Section 230 reach the Supreme Court

Posted on by
1

The 2015 murder of the 23-year ago American student Nohemi Gonzalez is about to take center stage in a case that has made its way to the US Supreme Court. The woman was one of 129 people killed in Paris by a group of ISIS terrorists. Her estate and family members sued Google, claiming that a series of YouTube videos posted by ISIS are the cause of the attack (and her death), and requests damages as part of the Anti-Terrorism Act.

At the heart of the resulting Gonzalez v. Google case lies Section 230 of the Communications Decency Act of 1996. This section has been routinely vilified by various political groups, who claim that the protections under this section against civil suits should be struck down. For my latest blog for Avast, I summarize the various issues that are facing the court and implications for online communications.

The arguments are transcribed here.

 

Microsoft breached in September, thanks to a public Azure storage container

Posted on by
Reply

Last month, researchers discovered that someone at Microsoft misconfigured one of their Azure Blob Storage containers. The container had public access, which could have resulted in a data breach. It contained sensitive data from a high-profile cloud provider with 65,000 companies,111 countries and private data of 548,000 users. Microsoft was notified by the researchers and  reconfigured the bucket to make it private within several hours. “Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers,” posted Microsoft on their blog.

Another security researcher suggested that the data was a SQL server backup that was mistakenly placed on this open storage container.

The leak was dubbed BlueBleed and the original researchers published a search tool that anyone can use to find whether information from a domain is part of this leak. The key word in that last sentence is “anyone” and if you read the Microsoft blog you can see that they aren’t happy about the way the tool is set up, because anyone can search across any domain to find out whether any unprotected assets were part of this breach.

Certainly, having private data in public containers — those that have no password protection, let alone using any multiple authentication factors — continues to be a big problem. Chris Vickery has made his career discovering many of them, and this post from several years ago cited the more infamous (at least at that moment in time) of Amazon S3’s “leaky buckets.” All of the cloud storage vendors make it relatively easy to create a new storage container that anyone can access. But don’t blame them — it is just basic human nature to forget to lock the door properly.

How can you prevent this from happening?

First, ensure that your sensitive data is well-protected, with proper and strong MFA. Microsoft has various recommendations for securing Azure Blobs and using their various cloud and endpoint security tools.

Avoid promiscuous provisioning. A case in point is Twitter, which (according to Mudge’s testimony) stated that thousands of their employees — accounting for roughly half its workforce, and all its engineers — work directly on Twitter’s live product and have full access rights to interact with actual user data. Okta realized a similar situation in its breach analysis earlier this year, and has since moved to limit access by its tech support engineers. What is needed is to reduce these over-privileged accounts, and to limit who has access to your data. If a developer is testing code outside of a production system, ensure that the data is protected. Audit your accounts to find out who has what access, and to spot configuration errors. One research report found that in 2020, two-thirds of the threats cited by respondents were caused by cloud platform configuration errors.

Ensure that your key IT suppliers have updated contact information to communicate with you. Microsoft relied on a “if you haven’t heard from us, assume you aren’t part of the breach” system — that is not as good as telling everyone what happened. Messages can also get lost or sent to dead mailboxes.

Offboard employees properly and thoroughly. When someone leaves your company, ensure that all of their accounts have been revoked. Many IT managers readily admit that their Active Directories are outdated (that link brings you to the stat of 10% of accounts in these directories are inactive according to Microsoft) and don’t have sufficient resources to maintain, even for the simple situation of who is presently employed by their companies, let alone who has the correct access rights.

Authenticating world-class artwork isn’t easy

Posted on by
Reply

I have been writing about authentication when it comes to the digital world for many years now. Last month I looked at authenticating sports memorabilia. Today’s story takes another look, this time about the ability to authenticate a painting by a world-class artist.

I got interested in this issue after reading a piece in the New Yorker about paintings by Lucien Freud (a relative of the doctor). The article mentioned a Swiss tech company called Art Recognition that uses machine learning and neural networks to authenticate art. I spoke to two of their 11 employees by phone to learn more about their technology and their customers, Ludovica Schaerf, an AI developer and data scientist and Romanas Einikis, their CTO and one of their founders.

Before the Swiss data scientists got involved, art experts required the actual artworks to be present in their own labs. This meant that the art had to be insured and shipped, typically great distances and at great cost. Once in their possession, the experts could keep the work for weeks or months as they examined it. “We don’t require the physical artwork in our presence,” said Einikis. “That saves on insurance and transportation costs, and also reduces the amount of time to obtain an analysis.” The scientists just require photographs of the work, and typically take a week to produce their analysis. A simple certification of authenticity costs less than $1,000.

The data team collects as many images of the artist’s work as they can obtain, typically from public domain sources or from museum and collectors’ websites. (This is legal under Swiss law, BTW.) These pictures — along with known fakes and similar work from other contemporary artists’ paintings  — are fed into more than 30 different data models that are run to produce a probability score. The models take advantage of cloud computing from AWS and Azure. “It doesn’t make sense to have on-premises machinery – it is a big headache and not worth it and the cloud is much more cost-effective,” he said. The models make use of NVIDIA GPUs and the CUDA tools for computer vision that were originally developed for video gaming.

To date, the company has found about half of the art works are fakes, which isn’t surprising given that the company gets called in when their provenance is questionable.

I asked a friend and former art gallery owner what she thought about this approach. She said that the art world is highly political and the traditional experts often have a vested interest in not being convinced by any computer program. She was concerned that many artists’ early works or unfinished works make this type of approach more difficult, but Einikis assured me that their models take this into account, along with incorporating information about which paintings were most likely created as collaborations among several assistants to the named artist. He mentioned that Reubens had periods of his painting career when his workers were helping paint the paintings. “We have to separate these different periods as part of our modeling process,” he said. So far, they are the sole provider of this type of service. It is an interesting intersection of art and science.

Avast blog: The IRS warns smishing attacks are on the rise

Posted on by
Reply

In a new blog for Avast, I report on a new study from the IRS which shows that smishing attacks — phishing using SMS text alerts– is on the rise. My wife and I have seen numerous messages that typically are phony package delivery acknowledgements on packages that we never ordered, or offers to send us money out of the blue.

The IRS said the attacks have increased exponentially, especially texts that appear to be coming from the taxing agency. It’s important to note that no matter who you are or your particular tax situation, the IRS never communicates with anyone in this fashion, or by email either. “It is phishing on an industrial scale,” said IRS commissioner Chuck Rettig.

Avast blog: Cryptojacking is back in the news – and it’s increasing

Posted on by
Reply

In my latest blog for Avast, I discuss the current state of affairs regarding cryptojacking — malware which takes root on your computers and generates crypto currency “mining” and creation. How it is detected and prevented. It has lots of current appeal to criminals because it continues to provide low risks for the rewards and profits generated: typically, the profit margin is about two percent of the computing costs for the resulting coins mined.

Still learning about making better backups

Posted on by
3

My blog went down this weekend for a couple of hours. What I want to tell you is how I learned that after all these decades working and writing about IT, I still could have lost some data, despite having what I thought were well-thought out backup procedures. Turns out I was still exposed.

Back about 20 years ago, I had my office in a small commercial building that had a music shop and a Subway on the first floor: my office was directly over both establishments. One day there was an electrical fire in the music shop, which happened when I was out taking a walk. When I returned I saw smoke rising off in the distance, and as I got closer I realized that was my building that had the fire.

That was the day that I learned about offsite backups. Back then, I had made copies of my data on tapes — tapes that were neatly stacked at the end of my desk. Had the fire damaged my building (fortunately for all of us, it didn’t), I would have been in big trouble.

Another time I was hosting my email server at a friend’s server. The friend’s basement got flooded, and my server was ruined. Thankfully he had backups and eventually I was back in business. I learned another lesson that day: make copies of everything (including the actual emails of you, my loyal subscribers) offsite.

Anyway, back to the present day. For many years I have had a WordPress blog that was hosted at various internet providers. It currently lives at Pair.com, which is a solid provider that has exemplary customer support. I use the free tier of Uptrends.com to notify me whenever the blog or my main website goes down. I got the first email after I quit work on Friday about an hour into the outage, and promptly sent off a support email asking what was going on. Within minutes — it might have been seconds — I got a reply saying they were aware of it (good) and working on the fix (even better). Service was restored (a database corruption issue) later.

Now for years I have also maintained a shadow copy of my blog that is hosted on WordPress.com. Back when I did this, you could host a site with limited features for free. (Alas, now you have to pay a fee.) To do this, I first have to export my blog content from my Pair-based server to an XML file, and then import it to the WordPress.com server. That doesn’t take long, but I hadn’t done it in a few weeks.

Now what could I have done differently? For one thing, I could use a different hosting plan on Pair that is designed for managed WordPress deployments, and includes automatic backups. That plan costs more than my plain-Jane hosting account. Another way to approach this is to do more frequent manual backups. As you can see from a screencap of my files, in the past I was sort of cavalier about doing them, now I won’t be. I would have lost about three weeks’ worth of content had Pair not been able to restore my database.

So as you can see, I am a slow learner when it comes to backups. Many businesses are in the same boat: this is why ransom attacks are so successful, because they don’t backup everything, or as Joni sings, you don’t know what you’ve got until it is gone (I think she was talking about something other than digital data).

So the moral of my story: take the time to make the backups about the data that you care about and then think about what your life will be if something happens to the data that might not be mission critical, but is still important.

CSOonline: Secure web browsers for the enterprise compared

Posted on by
Reply

The web browser has long been the security sinkhole of enterprise infrastructure. While email is often cited as the most common entry point, malware often enters via the browser and is more difficult to prevent. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle, and other exploits all take advantage of the browser’s creaky user interface and huge attack surface, and the gullibility of most end users.

Enter the secure browser, which is available in a variety of configurations (as shown above) that can help IT managers get a better handle on stopping attackers from getting a foothold inside our networks.

I looked at four browsers in a variety of configurations in my latest review for CSOonline:

Cheaters gonna cheat

Posted on by
1

Magnus Carlsen: 'You need to be very fortunate to be No 1 in fantasy football' | Magnus Carlsen | The GuardianI live a block away from the chess complex that was the scene of a major incident last month. This is when world chess champion Magnus Carlsen (at left) literally walked off a match that he was losing to Hans Neimann, claiming Neimann was cheating with a remote computer. This week, Neimann is back in town for another chess match. This analysis by chess.com  is interesting, and while you can’t prove anything conclusively, the report says they don’t think he cheated in the game last month. He did admit to cheating at a few online games previously, however the pattern of his wins is suspicious, and the report says he probably cheated in more than a few games.

One of the things I have seen with cheaters is that they can’t just cheat a little, so this makes sense to me. If you have seen any of the various documentary films or read any of the books about Lance Armstrong’s cycling career (one of them is available here), you will likely have picked this up. Armstrong still maintains the “everyone is doing it” strategy,

Reading the chess.com report though is interesting, because I learned a couple of things. First, the latest generation of chess computers can easily beat the best grandmasters, and this is the case for mobile-based chess software over the past few years. This means that a cheater doesn’t need access to a roomful of gear, just a remote connection to someone offsite who can track the game’s play online. Remember when Garry Kasparov lost to IBM’s Deep Blue back in 1997? Garry is a fellow blogger at Avast, and you might be interested in his latest post where he analyzes the Ukraine war. Another tidbit: cheaters just need a few moves in a game to win. And most chess grandmasters have already risen to that level in their mid-teens.

The chess matches happening this week down the street here in St. Louis have taken steps to make it more difficult for the cheaters — they put in a 30-minute delay in the online matches, and only allow spectators for the beginning of each game. But as I said, cheaters will find a way around these strictures eventually. It is the same cat-and-mouse game that cyber attackers play.

If you want an even better illustration of how the cheating game is played, I would recommend watching Icarus, an amazing documentary about the Olympics-based doping efforts, from the point of view of someone who actually managed the Russian’s team cheating.  The Russians constructed a blood testing lab that had cutout befitting the KGB, so that someone’s sample was surreptitiously switched with a clean one to pass the tests. Like I said, cheaters gonna cheat. What was sad was how the consequences for these team-wide cheating were minimal.

It is sad that so much effort has gone into cheating. It really diminished my interest in professional cycling (back several years ago when this all came out) and it now diminishes my interest in chess, despite having a near-front-row seat in the neighborhood. BTW, if you do come and visit me, one incentive would be this fascinating exhibit at the World Chess Hall of Fame Museum on the historic 1972 match between Fischer and Spassky. You’ve got until next April to see it.

Avast blog: Beware of SEO poisoning

Posted on by
Reply

Holy SEO Poisoning Attack Example: SolarMarker Malware - Blog | Menlo Security

Getting infected with malware isn’t just clicking on an errant file, but it usually occurs because an entire ecosystem is created by attackers to fool you into actually doing the click. This is the very technique behind something called SEO poisoning, in which seemingly innocent searches can tempt you with malware-infested links. The malware chain begins by an attacker generating loads of fake web content that are intended to “borrow” or piggyback on the reputation of a legitimate website. The fakes contain the malware and manage to get search results to appear higher on internet search engines. In this post for Avast’s blog, I describe the practice and offer some tips on how to steer clear of this problem.

These two political opposites can agree on these five things

Posted on by
5

By David Strom and David Strom  

No you are not seeing double: we are two different people. Democrat David Strom and Republican David Strom. 

Having a well-worn internet presence means that after some time, you get to meet some of your namesakes. Since both of us are authors (Minneapolis David is a Republican who writes on conservative political topics. And as you know me — St. Louis David — as a Democrat who writes about business technology), we thought we would jointly pen a blog post about things that we can both agree on — and where we diverge as well — for our respective audiences. We found these five broad topics.

1) A path towards legal immigration

We both agree that our immigration laws should be updated to allow for a legal path towards citizenship for those who come to our country. That leaves plenty of daylight between us in terms of how this will be implemented, but both of us aren’t happy with the current situation. 

Minneapolis David: It’s not just a truism that immigrants built this country–they continue to make enormous contributions to America. But you can have too much of a good thing, and as we have seen open borders have created a crisis that is splitting this country apart. It’s time to get control of our border and a consensus on the number of immigrants the country can import without causing social distress. 

St. Louis David: I was surprised when I learned how few countries offer birthright citizenship. We need some consistent policy among the various government branches and across federal, state and local authorities. Wishful thinking, I know.

2) Respect for the rule of law and individual decency

BOTH DAVIDS: Calling for the overthrow of our government by anyone shouldn’t be tolerated. The same holds for threatening law enforcement members, or members of Congress, or really anyone for that matter. We should tolerate people of different points of view — one of the reasons why we are jointly writing this blog post. (Democrat David is married to a conservative Republican, BTW.) And by tolerate we mean being able to disagree without the threat of any violence on that person.

Talk of a civil war–and the increasing number of violent incidents related to political disagreements–make solving real problems nearly impossible. Distrust begets distrust. Neither of us have any idea how to solve the problem, but we need to get a handle on it. Political leaders need to take the first step to calm down the rhetoric. 

3) Understanding the role played by the First Amendment and freedom of speech

Until this year, this amendment only applied to government entities. Now we have two court rulings in Texas and Florida that have different interpretations when it comes to the role of social media and how freedom of speech protections should apply. We both deplore and avoid hate speech.

St. Louis David: Regardless of how these cases play out, all of us should be allowed to say what we want, as long as we aren’t promoting violence on a particular group.  

Minneapolis David: Maybe I read John Stuart Mill at an impressionable age, but I have long believed that the more you suppress ideas, the more disastrous the outcome. Let people speak. Some people will say things that are wrong, stupid, or just different from what you think is responsible. A lot of people will think the same of you. Deal with it. 

4) Importance of science research and respect for the scientific method

St. Louis David: This should be easy. Those people who want to “do their own research” or criticize our scientists for explaining a particular result should fully understand the scientific method of testing hypotheses and running double-blind experiments. Part of respecting scientific research is believing that innovation is a key element of this activity, and accepting the role played by innovation in our society. We may differ on how our governments implement these results, however. Neil DeGrasse Tyson offers some sound advice in his latest book: “Do whatever it takes to avoid fooling yourself into believing that something is true when it is false,  or that something is false when it is true.

Minneapolis David: I agree with St Louis David, with a big “but.” I think that scientists have played a big role in the loss of trust in science. Science is about discovery. Its results are better or worse hypotheses. The goal is truth, but we can only approximate the truth asymptotically (look it up!). Scientists need to project more humility, or their mistakes will only undermine confidence. Example: nutrition science, where it seems like they get it wrong all the time, but with great confidence. 

5) Respect for life 

Both of us agree that we should respect life, which we hinted at above. But we realize that we all might have different definitions of what constitutes the precise moment when we think it begins or ends. Polling shows that there is ample room for reasonable compromises. 

St. Louis David: I believe that our government should allow women to choose, and not make their choices a criminal act. 

Minneapolis David: I consider myself “pro-life” in the sense that you know it. I also understand that there are legitimate differences about how we can best determine when life begins. We need to get beyond shouting at each other and have serious discussions, not shouting matches. 

One final note on something we can also agree on: both of us are Mac/iPhone users, and both of us have re-invested in Apple products this past year.