Last week, the US Department of Justice announced the takedown of Russian IoT botnet and proxy service for hire RSocks. Working with various European law enforcement agencies, the FBI used undercover purchases of the site’s services to map out its infrastructure and operations. RSocks compromised its victims by brute forcing attacks on various IoT devices as well as smartphones and computers.
Network World: How to reduce cloud costs
The more workloads that you migrate to the cloud, the more difficult it becomes to predict monthly cloud costs. While it is great that you’re only paying for the services you need, trying to parse your monthly bill requires the skills of a CPA, a software engineer, a commodities trader and a sharp eye for the details. There are numerous helpful tools and services to help, and also several reasons to consider using them. You might be in the market to switch to a new provider in order to add features or because you aren’t happy with your provider’s downtime or level of customer support.
You can read my post for Network World here, where I provide details on more than a dozen different offerings. (Cloudorado is shown above.)
Avast blog: the evolution of self-sovereign data and Web 3.0 identity solutions
Earlier this month, Drummond Reed was one of the panelists at CoinDesk’s 2022 Consensus conference discussing “The Promise of Self-Sovereign Data and Web 3.0 Identity Solutions: Real or Mirage?” Reed, who heads Digital Trust Services for Avast, spoke about the evolution of these solutions and — like his fellow panelists — tried to frame Web 3.0 in terms of this perspective.
The session was moderated by Joe Cutler from Perkins Coie; other panelists included Richard Widmann, a strategy lead for Google Cloud; Tobias Batton, CEO of ExPopulus; and Lisa Seacat DeLuca, who is Director of Product and Engineering for Unstoppable Domains. They spoke about the evolution of Web 3.0 tech, what will tip it towards more general acceptance, and the role played by identities in the world of the blockchain.
You can read my reporting about this conference session in my latest blog for Avast here.
Avast blog: How the US government deals with zero-days
While withholding a zero-day’s existence can provide some government advantage, it can potentially harm the rest of us and break many elements of the global internet if vulnerabilities aren’t disclosed and patched.
By now, you probably know what a zero-day vulnerability is: In simple terms, it’s the discovery of software and hardware coding errors that can be exploited by attackers. Some of these errors are found by government researchers, intentionally looking for ways into foreign agency networks to spy on their enemies. Sometimes, our governments and even some private companies keep deliberately mum about these vulnerabilities for many years.
I had an opportunity to interview Lindsey Polley and how she is trying to improve our government’s response to managing its zero-days for my Avast blog.
Online collaboration still ain’t easy
I have been writing about the challenges of online collaboration for years (here is a piece I wrote about synchronizing online calendars for the NY Times back in 2009)., and here is a link to my review of personal cloud storage that I recently did for CNN) When it comes to working on the same document (or spreadsheet or slide deck), it sadly still isn’t easy. Sure, there are tons of tools, including cloud storage vendors (like Dropbox, Google Workspace and Microsoft’s basketful of deplorable apps), team messaging apps (like Slack and Teams), and various other SaaS apps that claim to be collaboration forward but are still back in the dark ages.
What is wrong? All of this technology comes down to a bad marriage between the personal and sharing mindsets. And while the tools supposedly get more sophisticated, they still have fundamental and foundational issues, like these:
Our first problem is the personal computer is inherently personal. Back in the 1980s when we each had a huge 4 MHz CPU sitting on our desktops, we could run whatever apps we wished out of a tiny floppy disk. We didn’t share nothing with nobody. There was no internet, no SaaS stuff, no web browser. There weren’t even any graphic interfaces. Life was simple, and it was good, or so we thought. But now we have all this power: multiple CPU/GPU cores to run all sorts of complex stuff, gigabit speeds coursing through our home offices. But we still tend to think about the document that is sitting on our screen as our own proprietary property.
This background hasn’t made sharing easy. For a project that I am working on for a client, they set me up on their internal email system because they were using GDocs/Workspace. If you aren’t part of the domain, GDocs goes through some trouble and getting you in synch is painful. Much easier to just create a new email on their domain and share that way. Something is wrong with this picture.
Microsoft isn’t much better. They have almost as many varieties of sharing tech as Heinz has ingredients in their condiments. You have a Sharepoint drive, which isn’t the same thing as the Teams shared drive which differs from One Drive which isn’t the same One Drive on the E6 Enterprise license of Office 365, and oh by the way login.microsoft.com presents a different dialog from all of the above and is needed to manage all your various identities and sharing permissions.
Underlying all this tech are two basic ways to share stuff: either by URL (or by email, which embeds a URL in the message body), or by working with user identities, which also makes use of email addresses. Sometimes one method works better than the other. The ideal collaboration tool allows for setting basic access rights (view or edit your content), and sometimes these work, sometimes these are assigned to someone’s personal Gmail address when it should have been assigned to the common work domain address. Maybe this was an issue back in 2009, but it is still an issue today.
The sharing routines are broken because you have multiple paths and devices and apps to get you to your content. You can use a desktop or mobile app, a cloud app, a plain-Jane browser session. If you don’t have a desktop license to the word processor or presentation app, you have to bring up the browser and hope that you can run the app inside your browser — for those corporate-managed Windows machines that are under app lockdown, you might have to go through some hoops to get the right collection of permissions.
Plus doing this in near-real-time can be an issue if you are spread across a bunch of time zones around the planet and keeping track of what was done on a previous edit. This happened to me recently as one of my editors is in Europe while another is in California.
Sometimes I just give up and email someone the Word doc we are working on and just call it a day. That is absolutely the worst way to collaborate, bouncing bits back and forth across the internet. I hope it doesn’t take another decade to fix the collaboration problem.
Apple’s new privacy push
Have you seen this new TV spot from Apple called “Data Auction”? It is really bugging me. I must have seen it about 50 times on various streaming services. While it does a great job of showing how your personal information is being traded by data brokers, it takes tremendous license with its visual elements and how its iOS operating system actually works.
Apple has been improving its privacy protection over the past several years, so I give them some props for trying. But unless you are determined and really patient, fixing your phone (or other fruit-filled device) up the way you’d like it to preserve your privacy isn’t simple, and chances are you’ll probably get it wrong on the first try.
Apple’s commercial touts new features that they have added to iOS over the past couple of years: the ability to prevent third-party apps and advertisers from tracking your movements, including across your app portfolio, browsing and through using its Mail app. They both can eventually be found in the Settings/Privacy/Tracking screens. As we watch our hapless actor “Ellie” wander into her data auction, she fortunately has her iPhone at hand and is able to zap the auction audience into smoke with the press of A Single Button. Too bad that isn’t the actual iOS interface, which has a very confusingly labeled slider “Allow Apps to Request to Track” that should be off if you want to do the same thing (data oblivion). There is another button that Ellie used to rid her emails of trackers.
Okay, it is a very effective commercial. And I am glad that Apple has taken this approach to help users’ privacy. But why not use the actual UI? And better yet, why not hide it three menus deep where few can find it?
Apple has some interesting developments for iOS 16 that will be out later this fall, including one called “Safety Check” that Elllie will really love, especially if she has an abusive partner or a cyber stalker. Maybe if they use the same actor we can get a more faithful representation of what real users will have to do.
Have you hired a North Korean full stack developer?
Chances are unlikely. But what is really scary is that it could have already happened, and you just didn’t realize it. A report from various US federal agencies was published a few weeks ago, offering guidance on IT workers who are trying to get a job in your company while posing as non-North Koreans. You probably already know that the country has trained thousands of workers in various IT disciplines to generate revenue for the government. In the past, these efforts have mostly involved developing malware (such as this notice from CISA about targeting blockchain companies) and launching ransomware attacks. But lately they have turned to a new ploy: creating credible resumes for job seeking candidates that will get hired and help to launch attacks from within the company. Thanks to the pandemic and an increase in remote work, this has become a real risk.
While many of the candidates were immediately found lacking (one hiring manager said it was obvious they didn’t have the right knowledge or skills), still this notice gives me pause. It is the ultimate supply chain attack, because it is aimed at the growing shortage of full-stack and other agile developers. The feds report that thousands of them are taking on IT contracts all over the world, with many of them in North Korea, Russia and China. At salaries of US$300,000 or more, that can generate a lot of income for North Korea — the individual IT workers of course see little of those funds. The candidates possess remarkable skills in a wide variety of disciplines, such as mobile app development, AI-related apps, and database development.
Of course, if one of these phonies is actually hired, their firm can face all sorts of legal and financial penalties, given the numerous sanctions that have been created to prevent any kind of trade with North Korea. In many cases, firms downplay this threat, thinking that North Korean IT workers aren’t that sophisticated. The government report disagrees and sounds a clear warning.
The report has numerous ways you can tell you are dealing with a bad actor, and I use the term both literally and in the cyber sense. For example, the candidates have too-good-to-be-true reviews on the hiring websites, and the reviews collected in a very short time period. Their “extensive” knowledge doesn’t hold up under questioning (of course, this means you have to be prepared to vet them carefully with the right questions) and have long latencies in their video conferencing calls that don’t match their stated location — many candidates will claim a US college or technical degree and US residency. Just considering three of North Korea’s top schools, more than 30,000 students are currently studying various IT topics, and there are now more than 85 programs in 30 schools offering various STEM curricula.
North Korean “IT workers may share access to virtual infrastructure, facilitate sales of data stolen by North Korean cyber actors, or assist with their country’s money laundering and virtual currency transfers,” says the report. They hide their true identity behind third-party shell companies, or play the role of a subcontractor to a legitimate company. They are proficient in English and Chinese, although not as proficient if you know what to listen for to ferret out their accents. They make use of forged or stolen identity documents, using the names of actual employees and email addresses that appear to be from a Western business domain. They construct phony portfolio websites that don’t usually stand up to scrutiny. The trick is to provide the actual scrutiny during the interview process.
The report lists other “tells” and red flag warnings, such as using a non-standard remote desktop software tool or a low proportion of accepted bids on projects or referencing non-functioning websites. Of course, if someone were to vet my previously published work, you would find some similarities to the numerous dead B2B IT websites that I wrote for in the 1990s, but let’s not go there for now.
To mitigate and properly vet these phonies, the report authors suggest that all identity documents be carefully scrutinized and verified independently, and any low-res versions rejected. Video interviews showing the candidate should be conducted carefully, and the candidates also questioned carefully. Employers should conduct background checks, verify education directly with the college and avoid making any virtual currency payments and verify banking accounts. The DoJ has its “rewards for justice website” (shown above) where you can submit a tip and perhaps claim a substantial reward.
Avast blog: Key takeaways from Verizon’s 2022 DBIR
It’s time for the annual Verizon Data Breach Investigation Report (DBIR), a compendium of cybersecurity and malware trends that offers some of the best analyses in our field. It examines more than 5,000 data breaches collected from 80 partners from around the world. This year’s DBIR offers practical advice on improving your security posture and tips for making yourself much less of a target. From the SolarWinds attack to the growth in ransomware, there is a lot to discuss.
As shown above, we’re patching more and we’re patching faster. And we are generally getting better at detecting attacks in a timely manner. You can read more in my latest blog for Avast here.
Network World: New ways enterprises can use VPNs
The pandemic has accelerated the development of better ways to serve and secure remote workers, which make it a good time to re-examine VPNs. Recently VPNs have received technical boosts with the addition of protocol options that improve functionality far ahead of where they were when first invented. At the same time, new security architectures zero trust network access (ZTNA), secure access service edge (SASE), and security service edge (SSE) are making inroads into what had been the domain of remote-access VPNs.
In my latest post for Network World, I talk about ways that VPNs can complete ZTNA.
Printer inks and tractors, and the right to repair
You might recall several years ago when it came time to replace an “empty” Lexmark printer cartridge, you had to purchase a new “authentic” one as a replacement. HP had a similar program. Lexmark was sued (and lost in the Supreme Court) by a third-party ink maker who was blocked by the locking software. (The reason for the quotes is because these cartridges are seldom anywhere near empty, wasting a lot of ink. But let’s stay focused.)
What does this have in common with tractors? John Deere has special locking software that prevents farmers from doing their own repairs. This came to light recently when Russian troops stole about US$5M worth of them from Ukraine and brought them to Chechnya. The Ukrainians were able to “brick” the tractors by engaging the software. This is not a coincidence: their software engineers have been hacking Deere tractors for years.
Now, while you may cheer on the Ukrainians, this exposes the dark side of tech called the right to repair. For the past decade, tech companies have come under fire for preventing “unauthorized” repair work on their equipment. Apple is one of the most egregious, you can’t just have anyone fix your gear. But as supply chains stretch and break during the pandemic, we need more flexibility, not less. And typically using the authorized repair folks is nothing more than having an added surcharge to your repair bill. (And if you are a farmer, waiting for the Deere repair dude to drive out to your farm.)
One small victory in this arena has been the unlocking of cellphones. Remember when you had to get permission from your phone vendor if you wanted to port your phone and your number to another carrier? You still need to go through a somewhat dense process, but at least the carriers have to sell you a new unlocked phone. Various states now have laws on their books to mandate rights to repair, but it still is far from universal.