Managing your identity theft protection

World Password Day is Thursday, I know all of my readers are gearing up major parties to celebrate. What, you don’t know about this day in flackery?  Read on.

I know my inbox runneth over with WPD PR pitches. Perhaps you have already planned your day, such as noting yet another account of yours that has been breached? Another chance to reuse that password from 1992? Time to get another password manager other than Lastpass? Or perhaps just have a cupcake decorated with ones and zeros? (Image credit: Google’s Gemini)

Here is how I am celebrating. I am actually reviewing the two free identity protection services that I have been granted, thanks to two recent and massive data breaches. One is from the credit bureau Experian, the other from a company called Normally, these outfits charge anywhere from $10 to $30 a month, and in the past I have not been motivated to use these, or any other service. Here is the problem: being a privacy paranoid person, I don’t want to give out any of my numbers. Yet to sign up for these services, you have to lay it all out there: SSN, birth date, previous addresses, drivers license, phone numbers and so forth.

Some things you might want to know: my wife and I have had spurious credit card charges over the years — one just recently where someone kept trying to charge a rideshare in San Francisco repeatedly. And I think her credit is still frozen (although I don’t recall when we got it or if we actually unfroze it).

The dashboard for IdentityDefense looks like this:

You’ll notice that it shows you a bunch of dark web alerts (where a bunch of passwords have been collected after a breach by some baddie), my credit score (nice), and a bunch of other stuff. The alerts all date from when I initiated the service last month and haven’t been updated. Some of these alerts are less than meaningful, such as the breach of Xss.js that was found in May of 2018 or the one called Combolist_bundles_solenya from December of 2017. I have no idea what these were, and if actually wanted to change my password, where to go about doing so. On some of the other dark web listings, the breach id’ed an actual website where I didn’t ever have an account. So right away, you can see that this information isn’t very helpful.

One thing that IdentityDefense does have is a way to file online credit freezes for the three credit agencies. You could probably find the web pages for these on your own, but still, it is nice to have this all here in one place.

Let’s look at the Experian ID works dashboard. It is less than useful:

This is because almost everything that you want to know about will require a lot of clicking around, For example, you see the “CreditLock” panel — that is slightly more than a freeze, because you can lock and unlock it in real time, and of course this is just for Experian. When you find your way to the dark web alert report, you will also see a lot of useless data, such as an email address for me that I have never used, although attached to my actual phone number. One alert had both the right phone and email for a breach from in July 2018, never heard of them, and when I tried to reset my password on their site, it claimed no one with that email has an account.

There is another service that businesses use to manage their dark web and other threats that I have used from time to time from, where I wrote a white paper for them a few years ago. That paper spoke to this situation of not having very complete information about what was breached, or how metadata on the breach wasn’t of sufficiently high-enough quality or complete enough to be actionable. I wrote that you should be able to visualize the context of the threat and figure out where you were compromised, and what you should do in the future to prevent something similar from happening. That is still very much the case.

And if you are in the market for one of these services, you can read Paul Bischoff’s hands-on review of these and other services here on Comparitech. He puts them through more rigorous testing, and recommends services depending on how much of your life you want to divulge and then protect, and how complex a financial situation you might have.

So you should know by now that when something is free, it may or may not have any value to you. That latter situation is certainly the case with these protect-after-breach situations. Far better to have stronger (long and complex) passwords that are unique and managed by a service other than LastPass (I use Zoho Vault, which is free and does have value).

And if you are still in the mood to celebrate WPD, this comment from a security nerd from 2018 is instructive: “Happy WorldPasswordDay. Or in 90 days, WorldPassword1 Day.” Last year, I wrote: “Maybe on WPD in 2024 we can finally break out the bubbly and celebrate their actual demise.” Nope, not yet, put that bottle back in the fridge.

The latest anime-based North Korean IT threat

A couple of years ago I wrote about the report that North Korean IT workers were using fake resumes to get jobs as software developers. Once ensconced, they would leverage their position to launch attacks as well as using their salaries to generate hard cash for their government handlers. But a new research report has shown this threat to be even more pernicious, with North Korean digital animators getting jobs working on major motion pictures that will be broadcast on HBO, Amazon, and other outlets.

As I mentioned in my earlier post, this is the ultimate supply chain attack, but the supply is the humans who produce the code, rather than the code itself. The new report is based on a misconfigured cloud server, showing that even North Koreans can make this common programming mistake that is made every day by nerds around the globe. The group working on this server left it wide open for a month, during which time security researchers could download the files placed on this server and figure out the workflows involved.

They learned from the incident how difficult it is for animation studios to vet whether or not their outsourced work ends up on North Korean computers and how these studios might be inadvertently employing North Korean workers. It also demonstrates how hard it can be to have effective sanctions when it comes to our interconnected world.

As you might already know, North Korea doesn’t have very many internet connections by design, because of these sanctions. Typically, an IT shop would have just a couple of connected computers with net access that is carefully monitored by the state. Looks like they need to add “search for unprotected cloud storage buckets” in their monitoring software, just like the rest of us have learned.

What makes this discovery interesting is how far down the workflow food chain these animators operate. Examining one of the images posted by the researchers, shown below, you can see two text annotations, one in Korean and one in Chinese characters. The conclusion is that this was a translation between two teams working on the project: the hidden Korean team that was a subcontractor for the Chinese team. China is often the safe-mode proxy to hide North Korean origins from Western-based businesses, and Chinese businesses that have been discovered to be these go-betweens are eventually sanctioned by our government.

The researchers found work on a half dozen different animation projects that span the globe of video programming being produced for Japanese, American, and British audiences. Some of these shows aren’t scheduled to run until later this year or next. “There is no evidence to suggest that the companies identified in the images had any knowledge that a part of their project had been subcontracted to North Korean animators. It is likely that the contracting arrangement was several steps downstream from the major producers,” they wrote.

Last October, our government updated its warnings about recognizing potential North Korean IT workers, such as tracking home addresses of the workers to freight forwarding addresses, or where language configurations in software don’t match what the worker is actually speaking. They further recommend any hiring manager do their own background checks of all subcontractors, and not trusting what the staffing vendor supplies, and verifying that any bank checks don’t originate from any money service business. They further recommend preventing any remote desktop sessions and verifying where any company computers are being sent, and for workers to hold up any physical ID cards while they are on camera and show their actual physical location.

I am sure that animation studios aren’t the only ones employing North Koreans. The human employment supply chains can snake several times around the globe, and this means all of us that hire IT — or indeed any specialized talent — need to be on guard about all the component layers.

Beware of the pink slime website

Jack Brewster built his own hyperlocal news website in a couple of days and with a grand total investment of $105. What is significant is the circumstances by which he accomplished this. He used these funds to hire a programmer that he never met. Although Brewster had no other specialized expertise, he was able to launch a fully automated, AI-generated “pink slime” site capable of publishing thousands of articles a day. What is scary is that he could tune the AI to create whatever partisan bent and nearly all of the articles were rewritten without credit from legitimate news sources. Brewster is a reporter for the Wall Street Journal and describes his process here. “The appearance of legitimacy is everything online, and pink-slime websites are a serious menace,” he concluded.

This is the first time I have heard the term. It is certainly evocative, and dates back a few years. I last wrote about this condition in the pre-AI era, when actual people were being paid close to nothing to create this so-called content. That link has a bunch of resources to help you spot these fakes, but as AI gets better at sounding like some overblown windbag commentator, it will certainly get harder to discriminate what is real and what isn’t.

Apparently, slime pays. His programmer has built hundreds of these types of slimery, and is one of many, many people who advertise their services on Fiverr and other employment-as-a-service websites. What they are doing isn’t (yet) illegal, but makes me (and Brewster for that matter) uncomfortable. He set up his site behind a paywall, but the WSJ piece has a screencap where you can see what it looks like.

Speaking of Fiverr, long ago and in a galaxy far, far away I set up my own site to sell my freelancing services. Needless to say, I had no takers. My rate was a lot higher than the programmer Brewster hired for his website.

Brewster does misinformation tracking for a living, so it is somewhat ironic that he paid to produce his own slime site. His operation,, has tracked more than a thousand slimy sites, and offers browser extensions and various other tools to rate news sites, both slimy and (supposedly) legit ones.

Of course, that isn’t the only development of genAI content. This movie trailer looks so airbrushed that it is hard to watch. One reviewer wrote:

It is not clear whether the trailer is bouncing between different characters, or if TCL has been unable to figure out how to keep them consistent between scenes. The lip-synching is wildly off, the scenes are not detailed, walking animations do not work properly, and people and environments warp constantly.

All I can say, this is one bad movie trailer, and I am sure an even worse movie.

I guess it is a testament to the progress of genAI that we have come so far, so fast. And perhaps this is yet another reduction of the circumference of the noose around my own neck, or an indication of how my astronomical pay rates (at least, seen in this AI/Fiverr context) really are.

Dark Reading: New Tool Shields Organizations From NXDOMAIN Attacks

Attacks against the Domain Name System (DNS) are numerous and varied, so organizations have to rely on layers of protective measures, such as traffic monitoring, threat intelligence, and advanced network firewalls, to act in concert. With NXDOMAIN attacks on the rise, organizations need to strengthen their DNS defenses.

Akamai has released a new tool to help, as my story for Dark Reading describes.

The cybsersec gender gap is still wide

A new study by Women in Cybersecurity paints yet another dismal picture of the gender gap. This time it dives into its potential causes. The study is based on surveying both men and women across 20 different organizations. Women encounter problems at twice the rate of men, especially when it comes to their direct managers and peer workers. The glass ceiling is still very much in evidence. It is a sad description of where and who we are, including disrespectful and sexually inappropriate behaviors, underappreciated skills and experience, and requests to do menial tasks (she’ll take the meeting notes).

“Organizations have a clear opportunity to significantly boost their financial results and employee satisfaction by addressing these disparities,” said one of the report’s authors. The revenue impact could be significant due to this differential treatment of women and people of color. You would think that would be obvious by now.

I am ashamed about our industry that continues to make this news, year after year. Back in 2013, I attended one of the Strangeloop conferences, which always were notable in how many women presenters they had. I wrote a follow-up piece in Biznology a few years ago, tracking down some of the women that I initially wrote about. I ended that piece with the suggestion that we should follow some people on Twitter who don’t look like you and widen your focus and perspective.

Well, Twitter turned out well, didn’t it? Perhaps follow folks on LinkedIn now. You might want to take a listen to the “bit of fun” Mark Cuban is having at Elon’s expense on diversity, when he was interviewed by Lex Fridman (here is a 35 min. excerpt). He makes some great points on why it works.

Speaking of conferences, it wasn’t all that long ago when attending RSA, you wouldn’t find many women speakers. Last year’s event even had an all-women panel of female all-stars talking about threat response. I guess that is progress.

And in 2016 I wrote about how female engineers were scarce. Back then, I said: “It is time that all companies adapt to a more diverse workforce if they want to succeed. And we need to be on the leading edge in tech.” It is still time.

Dark Reading: Electric vehicle charging stations still have major cybersecurity flaws

The increasing popularity of electric vehicles isn’t just a favorite for gas-conscious consumers, but also for cyber criminals that focus on using their charging stations to launch far-reaching attacks. This is because every charging point, whether they are inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

In this post for Dark Reading, I review some of the issues surrounding deployment of charging stations, what countries are doing to regulate them, and why they deserve more attention than other connected IoT devices such as smart TVs and smart speakers.

CSOonline: A dozen of the top data security posture management tools

Tracking down sensitive data across your cloud estate can be vexing. By their very nature, cloud computing is dynamic and ephemeral. Cloud data is easily created, deleted or moved around. Correspondingly, the cloud attack surface area is equally dynamic, making protection measures more difficult. Over the past few years, a group of tools called data security posture management (DSPM) have been developed to discover both known  and unknown data, provide some structure and manage the security and privacy risks of its potential exposure. In my post for CSOonline today, I look at a dozen different tools from Concentric AI, Cyera, Eureka Security, Normalyze, OneTrust, Palo Alto Networks, IBM, Securiti, Sentra, Symmetry Systems, Varonis and Wiz. (A summary comparison table can be found here.)

These tools will require a significant amount of staffing resources to evaluate because they touch so many different aspects of an enterprise’s IT infrastructure. And that is a good thing, because you want them to seek out and find data no matter under what digital rock they could be hiding. So having a plan that prioritizes which data is most important will help focus your evaluation. Also a good thing is to document how each DSPM creates its data map and how to interpret it and subsequent dashboards. Finally, you should understand the specific cloud services that are covered and which ones are on the vendor’s near-term product roadmap too.

Gmail at 20, RIP Dan Lynch

Writing a computer-themed column appearing today can be a tough assignment. But I want to assure you that first, it isn’t any net-fueled prank and second, that it is actually written from start to end by me and not by some algorithm. More on that in a moment.

Today marks the 20th anniversary of Gmail’s creation. Google was playing with fire when it first announced the service in this press release, and the initial reaction was disbelief because of the date. Back then, it was an amazing feat to offer a gigabyte of storage — since expanded to 15 GB for the free tier. This was when many email services had capacity limits of 4MB or so, which seem laughable by today’s standards.

and the ability to search your entire email corpus. Now there are more than 1.5B users around, including myself. (I actually host my domain with Google, which was free until recently.) Here is a screen grab of what it looked like back then.

But there is another and sadder moment that I want to mention.

Over the weekend we lost one of the Great Ones, Dan Lynch, who was the founder of the Interop trade show. He was one of the prime movers behind the commercialization of the internet, back when we all used the capital “I” as befitting its status in society.

I was involved in the show in numerous ways: as a tech journalist (and editor-in-chief of what would become the leading computer networking business publication), as an editorial consultant to help guide the conference program, and as a speaker and lecturer. At its height, Dan put on five shows yearly around the world, and I spoke at many of them. Here is an interesting historical plot of when and where the shows took place.

You can read more about Dan’s accomplishments with this NYT obit written by Katie Hafner. He was 82, from kidney failure.

One of the features of Interop was its ability to force vendors into improving their products in real time, during the several days that the show was running, with what eventually was called the Shownet. In the early days, TCP/IP was still very much an experimental set of protocols and had yet to become the global lingua franca that it is today. The Shownet was born out of the necessity to get better interoperability, hence the show’s name. It began with 300 vendors and eventually blossomed to attract tens of thousands of attendees. This year the show is back from being virtual and being held in Tokyo this summer.

“The Shownet was also often the first place where many router or switch devices ever met a complex topology,” wrote Karl Auerbach, one of the many volunteer engineers who worked on it over the years, “Few saw the almost continuous efforts, done under Dan’s watch, between shows to design, pre-build (in ever larger warehouses), ship, deploy, operate, and then remove. The Shownet trained hundreds of electricians in the arts of network wiring over the years.”

I wanted to talk to Dan as part of an article that I am writing for the Internet Protocol Journal about the history and tenacity of the Shownet, but sadly we weren’t able to connect before his passing. He was truly a force of nature, a force that brought a lot of goodness to the world, and changed it for the better. Many of us owe our career developments, knowledge about computing, and human connections to Dan’s efforts.

So one final note. I came across this coda that explains “human-generated content” on a website by displaying one of three icons. I want to assure you that my website, newsletter, and any work that I produce is 100% written by me, that the people I quote are also actual carbon-based life forms, and no GPUs have been harmed or otherwise employed to produce this work product.

Dark Reading: Corporations With Cyber Governance Create Almost 4X More Value

Public corporations have mostly ignored SEC regs published years ago for improving cybersecurity governance. And while the requirements can be difficult to satisfy, companies that have made the effort created nearly four times their shareholder value compared to those that haven’t. That’s the conclusion of a new survey jointly conducted by Bitsight and Diligent Institute, entitled “Cybersecurity, Audit, and the Board.”  According to the Bitsight report, having separate board committees focused on specialized risk and audit compliance produces the best outcomes. 

You can read my analysis of this report for Dark Reading here.

Dark Reading: Cloud Email Filtering Bypass Attack Works 80% of the Time

A majority of enterprises that employ cloud-based email spam filtering services are potentially at risk, thanks to a rampant tendency to misconfigure them.

Computer scientists have uncovered a shockingly prevalent misconfiguration in popular enterprise cloud-based email spam filtering services, along with an exploit for taking advantage of it. The findings reveal that organizations are far more open to email-borne cyber threats than they know, and will be presented at a conference in May. My post for Dark Reading explains the situation.