SC Magazine: The coming passkey revolution

The war on passwords has entered a new and more hopeful era: their final battle for existence. The challenger is the passkey. Let’s talk about why this is happening now, what exactly the passkey is, and how the victory might just finally be in sight. The goal is a worthy one — according to Verizon DBIR 2022 report, 80% of data breaches still begin with a phishing or Man-in-the-Middle attack, using hijacked account credentials to take over an account. Spoiler alert: passkeys can help big-time in this fight.

Passkeys use a set of cryptographic keys – meaning a long string of digits – in a way that you, the user, doesn’t have to remember or type anything additional. They have been adopted by the major endpoint vendors (Google, Apple and Microsoft), and in my post for SC Magazine I describe how they work.

 

Avast blog: Explaining malicious PDF attachments

The next time someone sends you an email with a PDF attachment, take a moment before clicking to open it. While most PDF files are benign, hackers have recently been using PDFs in new and very lethal ways. Malicious PDFs are nothing new. In my post for Avast’s blog here, I explain their history and how two news items have shown that they are still an active threat vector and being exploited in new and interesting ways, such as this invoice which has different amount due items depending on the particular reader used to view the file.

 

How to terminate staff safely

Let’s talk about layoffs for a moment. More specifically, let’s talk about the process by which a company fires its people. How does it work to terminate someone’s digital access? It is tricky.

Dos and Don'ts of Terminating EmployeesI have been laid off a few times over my career. The one that I wanted to tell you about was when I worked for the IT department for a large insurance company. My office was in a downtown LA high rise, and coincidentally, my wife also worked in the same building, for a different subsidiary of the company. Indeed, she worked on the same floor. I had just given my two weeks’ notice that I was quitting to go work for PC Week (now called eWeek). As was the custom of the times (this was in the 1980s), I was immediately terminated. My access to the mainframe was turned off, and I was accompanied by a security guard to clean out my desk, hand in my badge, and take me down the elevator and escort me out the door to the street.

There was just one problem: I had to tell my wife that I was fired, and this being the era before cell phones, I had to come back up to our floor. Also, our building didn’t have controlled access, so there really was no way to keep me out of the place.

Now let’s talk about today. How do you announce a layoff to everyone, including the folks that are still gainfully employed? Well, via email and Slack of course. But the timing is critical: if you terminate an employee’s accounts, they won’t get the memo. Some businesses wait a day. This recent survey shows that only 51% of organizations said they typically remove a user’s access to corporate systems the day (35%) or the day after (16%) the employee leaves. A day after is too late: there is a lot of damage a vengeful now ex-employee can do in that day.

Of course, it matters how many people are laid off at once, and where in the corporate hierarchy they are. If it is just a few people, you might get the security escort as I did. But what if dozens are terminated? This is what happened at Coinbase recently. They took a somewhat different approach. First, they cut off the terminated staff’s access to emails and other corporate accounts. Then the CEO sent out this note to their personal emails:

“If you are affected, you will receive this notification in your personal email, because we made the decision to cut access to Coinbase systems for affected employees. I realize that removal of access will feel sudden and unexpected, and this is not the experience I wanted for you. Given the number of employees who have access to sensitive customer information, it was unfortunately the only practical choice, to ensure not even a single person made a rash decision that harmed the business or themselves.”

I think this was the right sequence for Coinbase, but as I said timing is everything. If you are faced with a group layoff, here are a few suggestions.

First, make sure your HR department has the most accurate information about your staff. This means having both personal and work contacts, including private emails and cell phone numbers. You should have done this for all sorts of reasons outside of potential layoffs, such as being able to reach someone’s family in case of emergencies for example. And part of this census is ensuring that you don’t have active accounts for long-ago terminated staff.

Second, you should create a policy on who and how you will communicate company-wide news, both good and bad. How will this information be shared with the news media, and do you have the right media contacts too?

Next, how do you track all your corporate digital resources, and who has what kind of access to these resources? Does someone on your dev team use a private GitHub account? Are people creating Google shared workspaces with their Gmail accounts? Given how easy it is to setup a private cloud repository, you need to be aware of this as best as you can. Having all this information and accounting for the various communications channels correctly will take some effort.

Finally, you need to pay special attention to staff that have elevated access rights to various resources. Can you track if one of these privileged users have made copies of business or personal data? (This is the role of data loss prevention products, by the way.) Do you have too many administrators? That is usually a common problem.

Terminating people safely is a process, both from the affected individuals’ and the company’s perspectives. While the process chosen by Coinbase may not work for everyone, it is a useful template that can provide some important guidance.

There is a lot more to be said about termination policies and practice, and I would urge you to read this blog by Erica Marom and Uri Ar on how to build an employer brand.At the end of that post, they talk about how to craft a positive message and how to communicate it.

Book review: Tomorrow, Tomorrow, Tomorrow

Tomorrow, and Tomorrow, and Tomorrow: A novel by [Gabrielle Zevin]Normally when I finish a book I have some strong opinions either pro or con. I am of two minds with this novel by Gabrielle Zevin which is excellently written and an epic tale of its three principle characters. We follow their exploits for the next 20 years, starting when they are all in their late teens. If you are interested in computer gaming, the book portrays the world of game creators and the gaming industry very realistically — I covered this world as a tech journalist once upon a time. And the relationships of the trio — who form their own gaming studio and quickly become successful — is also very believable and interesting as they and the industry matures. The downside is that the ending is less than satisfactory as the author takes us inside a game itself that the characters play new roles. It just felt off somehow. Nevertheless, this novel is one of hope, of loves found and lost, of how people work together and work against each other in interesting ways that drives the plot forward. And maybe one day you will find those secret underground LA freeways that are posited in the book. (You ‘will have to read it to understand this reference.)

Avast blog: A new way to fight Office macro-based malware

Microsoft has made it a bit harder for macro viruses to proliferate with a recent change to its default macro security policies. Malware-infected Microsoft Office macros have been around for close to three decades. These exploits involve inserting code into a seemingly innocuous Word or Excel macro, which is then downloaded by an unsuspecting user by clicking on a phishing lure or just a simple misdirected email attachment. Recently, Microsoft changed the default settings, making it harder both for this type of malware to spread and also harder for IT managers who have to figure out how to manage their legitimate macro users. And then, they rolled back these changes, based on user complaints. I explain the details in this post for Avast’s blog.

A better treatment, with lots of specifics on Office group policy settings, can be found in Susan Bradley’s CSO piece here.

 

Finding the tell

What does the Greek king Ptolemy I, the way you type in your sentence endings, a WWII weather report, and the word “northeast” have in common? They are all clues to solving some of the grandest puzzles of all time, and what con men and magicians often call “tells” or personal habits that give away the game.

The 1987 movie House of Games has a wonderful take on tells that is actually central to its plot, so I won’t go into detail just in case you haven’t seen it yet. Even if you have seen it and know how it ends, it is still delightful to rewatch it years later. Another wonderful memory of mine is watching one of Penn and Teller’s magic acts where they repeat the same trick several times, each time providing a fake tell to fool you repeatedly about the trick. (Penn wrote the foreward of my first book about email BTW.) Magicians excel in having you focus on something other than what they are doing, so the tell is part of their act. Con men — such as card sharks and swindlers depicted in the movie — look for their mark’s tells so they can manipulate them into getting money.

I was reminded about tells and clues after reading The Writing of the Gods, a wonderful book that came out last fall by Edward Dolnick about solving the translations that appear on the Rosetta Stone. The book describes how two scholars tried over decades to make progress on the translation. It is a wonderful read, especially if you have interest in ancient Egypt, like solving codes and puzzles, want to hear about mathematicians behaving badly, or just interested in a fascinating description about life back in the day when colonial powers ruled the world and could just appropriate artifacts with never a care. Dolnick brings the puzzles of the stone to life for me, showing us the pure thirst for knowledge and showing the drive that these two men had in trying to figure out what was going on with the three languages written on that piece of rock.

As you might have guessed, the Ptolemy clue that opened this post is what got scholars working on figuring out how the text, which is written in three different languages, were related. Given that he was Greek, there was no easy way to write down his name using a word that was not part of the languages of ancient Egypt. The scribes had to spell it out, phonetically. The hardest part about the stone was the hieroglyphics, because they can play the role of symbols, letters of the alphabet, and grouped together to form ideas or other concepts.

One of my favorite stories about tells has to do with solving the German wartime codes Enigma and Lorenz. I have written about my visit to Colossus here. The tell used to break these codes had to do with knowing the vocabulary used by the military to provide the local weather report, and knowing that this report was usually placed at the top of each message. Given that the Allies recorded thousands of messages, they had a large corpus to use in their decodes.

But unlike these wartime puzzles, figuring out the Rosetta Stone had a major problem: you first had to find the context and get into the heads of the ancients without really any idea of what their lives were like or what they did. It is one thing to be solving a puzzle with contemporary references. It is another thing to try to reconstruct a dead language with no known speakers, and to do so by using yet another dead language.

Dolnick mentioned something in his book that got me looking further into our next tell. He was nice enough to answer my query with a link to this story in the NY Times which recounts the double-space-at-the-end-of-a-sentence debacle. The problem has to do with college essays, and having your parents write them, or more accurately, type them. Because those of us of a certain age learned to type back in the pre-PC era, we have this ingrained habit of using two spaces after a period. Kids who were digital natives didn’t have this habit, and college admissions staff could quickly recognize what parts of the essay were written by the parent as a result. If you didn’t know the context or the history, you probably would have missed this tell.

Finally, there is the “northeast” clue. Astute readers will probably recognize this as part of the decoding effort with the Kryptos sculpture at CIA headquarters. I wrote about this several years ago when I got a chance to meet Elonka Dunnin, who maintains a wonderful resource page here. The clue is from the sculptor, James Sanborn, who is trying to help people decrypt the final piece of the puzzle. And just to bring things to a delicious full circle, one of the passages in the sculpture relates to the diary of archaeologist Howard Carter on the day he discovered King Tut’s tomb in 1922. It is all about Egypt!

GoodAccess VPN review: A new twist on an old security tool designed for the smaller business

There are lots of reasons to use a VPN for business: to improve your access speeds, to avoid state-sponsored blocks or tracking of your browsing movements, and to segregate your business traffic when working remotely or home from prying eyes, And while there are numerous VPNs that focus on larger enterprises or for individual consumers, the middle ground is poorly served. This is the target segment that GoodAccess, a Czech-based company, is after. They sponsored a review of their product, and I think they deliver in terms of preserving anonymity, privacy, and security and have superior product features that make it particularly attractive for smaller businesses, such as its main dashboard shown here.

You can download a copy of my report here.

What color are your patch cables

(With apologies to Richard Bolles)

I was reading through my Twitter and came across this idea, taken from real life experiences of operations managers. The idea is to have an enterprise network-wide kill switch that can disconnect you from the internet and shut everything down as quickly as possible, in case of various emergencies.

Remember a common scene in many movies where the bomb squad comes in and tries to disarm the weapon? Armed with nothing more than a pair of wire cutters, they have to find the (always it seems) red wires and cut them just before the countdown clock reaches zero, while the dramatic musical score swells to a nail-biting crescendo.

So here is one suggestion: Use red patch cords in the networking closet and other critical locations to indicate the actual cables needed to be yanked in case of cyber emergency. Better yet, document their locations in your incident playbooks and other places where you have your network documentation. (That assumes your documentation is actually up to date with the reality of your cable and server plant, which isn’t always a safe assumption. Here you can see a memorable pic of the time I visited one of CheckPoint’s labs and the sad state of this particular wiring closet.)

Now, in real life, things aren’t so simple. There are various dependencies among your equipment, and chances are just pulling the cables may cause more damage than it solves — depending on the particular emergency you are responding to. And as I wrote in that blog linked above, taking  documentation seriously means keeping up in near-real-time with any changes to your network and applications infrastructure, otherwise it quickly becomes useless.

Happy holidays for those of you so celebrating.

Avast blog: New deepfake video effort discovered

Since I wrote about the creation and weaponization of deepfake videos back in October 2020, the situation has worsened. Earlier this month, several European mayors received video calls from Vitali Klitschko, the mayor of Kyiv. These calls turned out to be impersonations (can you tell which image above is real and which isn’t?), generated by tricksters. The mayor of Berlin, Franziska Giffey, was one such recipient and told reporters that the person on these calls looked and sounded like Klitschko, but he wasn’t an actual participant. When Berlin authorities checked with their ambassador, they were told Klitschko wasn’t calling her. Fake calls to other mayors around Europe have since been found by reporters.

Were these calls deepfakes? Hard to say for sure. I cover the issues and update you on the advances, if you can call them that, about deepfake tech for my Avast blog today.

 

FIR B2B podcast #157: Why the end of third-party cookies is a bigger deal than you think

Profile photo of Chris MattyPaul and I spoke to Chris Matty, the co-founder and Chief Revenue Officer at Versium, Inc. His company is developing better B2B ad tracking technologies that will ultimately be used when the third-party web cookie finally bites the dust next year.

As with so many online technologies, replacing cookies might require a lot of work from advertisers and web publishers. This is because Google, Facebook, Apple and Amazon all have a vested interest in keeping customers within their “walled gardens” and not necessarily sharing their tracking data with others. The great cookie demise will bring about a series of consequences, some intended and some unintended.

For example, there will be an initial rush for advertisers to make use of first-party data (meaning data that they have collected over the years themselves) until they realize that this data is outdated or inaccurate and can’t really provide the sufficient quality or insights or a path towards eventual purchases that the old cookies had. There will also be an adjustment as advertisers realize that reaching B2B customers is a lot more difficult than reaching consumers because many business customers don’t necessarily identify themselves as such — think of all the LinkedIn accounts that carry Gmail addresses as an example.

The work-from-home movement has increased the complexity of the tracking business customers now have different IP addresses or are hidden behind VPNs, so all that geofencing and IP tracking data is out the window! Versium is attempting to resolve these issues by aggregating anonymous data from a variety of sources to profile website visitors without compromising their privacy. Resolving identity means collecting and matching deterministic data that allows a marketer to reach or contact a specific person, such as email, phone numbers, addresses and device IDs. For example, think of trying to ensure you have identified the same person when sometimes they call themselves Bob Smith, sometimes Robert Smith, and in other cases they show up as @rsmith. Versium believes that’s possible in many cases using independent, opt-in sources.

The company is working with a variety of independent publishers and advertisers to consolidate data assets to allow independent publishers and site owners to better compete with the internet giants. The goal is to achieve personalization with privacy protection.

Chris has written extensively on this topic here. “Companies that deploy identity resolution solutions to optimize and leverage data can take back the control they had once ceded to third-party cookies,” he asserts.

You can listen to our 16 min. interview with Chris here.