Avast blog: Understanding how cybercrime group FIN7 has evolved into a major ransomware player

Malware group FIN7 is once again on the move, leveraging software supply chains, remote program execution methods, and stolen credentials to deliver ransomware to enterprise networks. The group goes by several different names and is adept at using various backdoor tools to worm their way into corporate networks. You can see the various malware programs that have been attributed to FIN7 over the past two years in the diagram below from Mandiant.

 

 

 

 

You can read more about their exploits in my latest blog for Avast here.

Avast blog: New digital threats targeting backup power supply systems

TLStormBugsSecurity researchers have uncovered a new series of threats that are targeting uninterrupted power supply (UPS) units. These threats can result in malware attacking the computers connected to the same networks through a variety of clever mechanisms.

The three threats affect most of the Smart UPS line of APC backup power supplies that are widely used by larger enterprise customers. I write about this for Avast’s blog here.

Podcast: How to do effective SEO (this is not a scam)

Over the years I have received numerous emails from people trying to sell me how I can transform my website to become #1 on Google searches. The promises always have a hollow ring, because while they might work at a particular moment in time (if at all), they miss the longer-term implications of how search engine rankings work. Usually, they are just scammers designed to separate you from your cash.

The field of search engine optimization or SEO is fraught with these charlatans, and I have been reluctant to write about this because I am not really an expert. Over the years I have adopted a very simple SEO strategy: just provide the best possible content, try to keep the links on my website as fresh as possible, and fix broken or outdated links whenever I can. I realize this is a far cry from “real” SEO, I know.

I remember when I first put up my website back in the early 1990s when I thought, I won’t have any broken links. Well, that wasn’t a sustainable strategy and I think it wasn’t long before I couldn’t keep up. I was reminded of them when I spent the better part of a few hours last week trying to fix the various broken links that Techtarget created for my content when I was searching for an article that I wrote back in 2006. I have written a ton of things for their various websites (such as SearchSecurity.com) and there is a lot of repair work on broken links, tracing down outdated content and finding that many of my original work has been updated by someone else.

Tony PatrickAnyway, my point is that SEO can be more of one of the dark arts of magic than science. I was delighted to come across Influence&Co., a content marketing firm here in St. Louis that understands these issues and has tried to help their clients with their SEO strategies. For our latest FIR B2B podcast, Paul Gillin and I interviewed Tony Patrick, who directs digital marketing for the firm.

One of Tony’s colleagues wrote this piece in Sales & Marketing.com on SEO tactics. The piece mentions several tips, including

  • Doing keyword research and then implementing them in your content and metadata,
  • Why inbound links matter and how to go about placing them effectively,
  • Placing content in external publications and then doing back links on your site, and also
  • Posting both textual pieces with video and podcasts to exploit different learning styles of site visitors.

We explore some of the suggestions mentioned in that piece to help B2B marketers become better SEO practitioners. The basics behind the SEO industry haven’t changed much in the past decade, but it helps to hire someone like Influence&Co. that specializes in this area to make sure your website gets traction and well, influence. We also discus how to vet potential content marketing partners to deliver the best and most useful content, and avoid those “make money fast” scammers with their “guarantees.” Tony also gives his suggestions on the best tools to use to track your search results, including Semrush, Hubspot, Ahrefs, and Moz.com.

You can listen to the 19 minute podcast here:

If you like this episode and want to subscribe to the series (Paul and I produce two a month), you can go here to get email alerts, listen to them on Apple Podcasts, or use your favorite podcast app with this feed link.

CSOonline: How to evaluate SOC-as-a-service providers

Not every organization that needs a security operations center can afford to equip and staff one. If you don’t currently have your own SOC, you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation.

Since I first wrote this piece back in 2019, the SOC-as-a-service (SOCaaS) industry has matured to the point now where the term is falling into disfavor as managed services vendors have become more integral to the practice. As cloud-based security tools have gotten better, data centers and applications have migrated there as well. Some of the services I discuss in this updated article fo CSOonline call themselves SOCaaS, while others use other managed services designations. I cover what they offer and how to pick the right supplier for your particular needs.

And to help you evaluate your own SOCaaS providers, I wrote this 2019 article that outlines what you should have in your RFPs.

Ranking the world’s democracies

This morning I was watching the live coverage of the meeting of six foreign ministers in the Israel Negev. It was a remarkable experience because of the venue, the nature of the broadcast itself and the way it was being reported, and the global context of the meeting.

Before I can explain the situation, let’s take a short quiz. Here are six countries (not the same list as the ministers). Put them in order from most to least democratic. Use any metric you’d like. USA, Rwanda, Laos, Moldova, Norway and Qatar. Don’t peek at the end of the essay for the results quite yet. I will give you one hint: we are not the top country, by a long shot.

So why am I writing about this today? The Negev Summit, as it was billed, covered the ministers from USA, Morocco, UAE, Bahrain, Egypt and Israel. Some of the men were in Israel for the first time in their lives, which was interesting in and of itself. It was notable who was not there:  the leaders of Jordan and Palestine were meeting in the West Bank as a bit of counter-programming. What was different (apart from the actual meeting itself) was the location: the last home of David Ben-Gurion, who was the founder of the modern Israeli state.

That is how I have thought of him ever since I was a pre-teen attending Hebrew school. He is well-regarded by many Israelis and there are several things that carry his name today, including the Tel Aviv airport where every tourist to Israel and the West Bank arrives and a university in Beersheva that I have been to numerous times and where my son-in-law got both of his college degrees. If you drive another 45 minutes south of the university, you will get to the Negev town of Sde Boker, which is where the summit took place. There is a kibbutz and it is also near a Bedouin camp, and also not too far from Israel’s only nuclear “research” reactor.

Anybody who thought at the end of 2020 that things could not get worse for the world’s democracies has been proven wrong, says the Economist’s Intelligence Unit in their latest “Democracy Index” report. The overall index hit a new low since it first began its tabulations in 2006, largely thanks to a variety of government-imposed tracking and monitoring tools of their citizens caused by the pandemic. The report goes into lots of detail about how they scored each of 167 countries on 60 different metrics such as electoral processes, civil liberties, and government functions. These are rolled up to classify each county into one of four categories:

  • Full democracies,
  • Flawed democracies
  • Hybrid democratic and autocratic regimes
  • Authoritarian regimes

My six-country quiz contains countries in each category. And here is another hint: we are not a “full” democracy by the Economist’s definition. Sad to say. They figure out the segments based on examining the various components of freedom, such as: freedom from want and the satisfaction of material needs; political and religious freedom; democratic rights and equal treatment for all citizens; equality of opportunity and the avoidance of stark economic and social inequalities. One of the things that interests me is that there are various shades of authoritarianism. The World Population Review counts 52 countries and describes them as one of five different types, based on how a dictator grabs and maintains their power. This could be through the use of the military, a monarchy, a force of personality, a single political party, or some combination. The various dictators are listed and linked to by name.

Another group that tracks these issues is Freedom House’s annual “Freedom in the World” report. It scores countries by overall freedom, internet freedom, and democracy scores. They use a definition for electoral democracy which includes:

  1. A competitive, multiple party political system,
  2. Universal adult suffrage,
  3.  Regularly contested elections conducted on the basis of secret ballots, reasonable ballot security and the absence of massive voter fraud, and
  4. Significant public access of major political parties to the electorate through the media and through generally open political campaigning.

Going back to the Negev Summit, I should mention that I was watching it on Al Jazeera’s English channel, which as I said was doing a live broadcast wrapping up the summit. This is the channel which is owned by the Qatar government, which is considered an authoritarian regime because of its leader. But Qatar is on the upswing: the report shows a steady increase in their index since it began. I have been watching more of their coverage because they do a really good job of reporting from all sorts of places around the world (they had two reporters at the summit, for example).  At one point, the analyst from the channel being interviewed mentioned how Ben-Gurion was also the leader of many attacks on the Arab residents in the early years of Israel’s independence, a point of view that I hadn’t previously considered.

Ok, now time for the list, from most to least (with their rankings from the Economist report, where the lower number means more democratic):

  1. Norway (1)
  2. USA (26)
  3. Moldova (69)
  4. Qatar (114)
  5. Rwanda (127)
  6. Laos (159)

Avast blog: New survey shows a widespread lack of cybersecurity preparation in SMBs

A marketing firm asked 1,250 small business owners (with fewer than 500 employees) about their cybersecurity practice, and the results are pretty staggering. They largely show that most aren’t doing much to prepare for potential attacks, and for those that have done some work, it often falls far short.

Nearly half of the business owners surveyed don’t have any defensive measures in place, and a third have no protection whatsoever against cyberattacks. And less than a third have implemented regular data backups or made use of secured networks, two of the reasons why ransomware continues to be effective. You can read my analysis in Avast’s blog here.

 

FIR B2B podcast #154: SMS Texting for B2B With Barbara Casey

Earlier this month, Nate Nead wrote this screed on ReadWrite (a site where David once managed an editorial team) about how marketing is getting more difficult. We both think that this isn’t true and that with the right automation and tools it is getting easier to target audiences. Nead says, “Effectively persuading and reaching customers in the modern world requires a more nuanced, organic approach.” Did he miss that memo about 10 years ago? If you aren’t already doing that you’re out of a job. Nate also wrote that “It’s incredibly tough to stand out and you’ll probably have to spend a lot of money to do it.” Again, we don’t think money is the answer. Being more effective at telling a compelling story is.

Let’s move on to our conversation with our guest. With social media proving less and less effective at generating and converting leads, small business owners, in particular, are looking for better ways to create dialogues with their customers. Well, have you thought about SMS text marketing? Barbara Casey is CEO of Mobile High 5 and she says a text campaign, combined with a loyalty program, can yield three- to five-fold traffic spikes when a text goes out. The company works with retailers, restaurateurs and service providers to build custom mobile marketing programs that drive customers to shop or dine more frequently. We spoke to her about how to be effective at integrating SMS with loyalty programs, ways to mix online and bricks and mortar retailing, and why you should know the text code 7726.

Dave Hearst Saves Lives by Delivering Blood for the Red Cross

Most everyone is familiar with American Red Cross blood drives. But collecting the blood is just one part of the operation. After processing, the right blood products must be delivered to the right hospitals at the right time, and that requires a lot of logistics. To get the job done, the Red Cross depends on volunteers to transport these donations. One of the most reliable and enthusiastic volunteers is Dave Hearst, who began volunteering in May of 2018 after hearing about the need for drivers while making his own regular blood donation. I interviewed him for a profile for the Red Cross here.

Like Hearst, I also volunteer as a blood driver for our local chapter. It is very rewarding work. We save the chapter more than $1M in transportation expenses annually.

Avast blog: Watch out for browser-in-the-browser attacks

A man-in-the-middle (MITM) attack consists of a victim, a website the victim would like contact with (such as a bank), and the attacker. The attacker inserts themselves between the victim and the targeted website with the intention to steal personal information such as login credentials, or bank account and credit card numbers. MITMs have consistently been an active development strategy for hackers.

There are several different types of these attacks, including ones that involve running software on a webpage that can infect your computer through your browser. One of them is gaining traction (from the attackers) and is what one security researcher calls browser-in-the-browser. The idea here is that a hacker can write some JavaScript code to present a pop-up window that is another phishing phony to lure you into typing your account information. Look at the two screens reproduced above: it is hard to figure out which is real and which is a threat.

I wrote about this for Avast’s blog here. One way to prevent this exploit is to use a secure browser (such as one from Avast or Brave).

CNN: The best VPNs for 2022

CNN had me review a bunch of VPN services for their Underscored site. I looked at 11 different products. I don’t have to tell you why you should use a VPN. But no product can 100% handle the trade-off among three parameters: anonymity, or the ability to move online without anyone knowing who you are; privacy, or the ability to keep your own data to yourself; and security, or to prevent your computers and phones and other gear from being compromised by a criminal. You can’t do all three completely well unless you go back to pen and paper and the Pony Express. Using a VPN will help with all three aspects, and some are better than others at balancing all three.

My two favorites were Mullvad.net and IVPN.net. Both use a novel idea to ensure that they don’t know anything about you — when you download their software, you are assigned a random string of characters that you use to identify yourself. No email necessary. If you don’t want to use your credit card, you can pay via alt-coins too. Consider this a “single-factor” authentication. That means no password is required once you have entered your code, it is unlikely that anyone can guess this code or find it on the dark web (unless you reuse it, which you shouldn’t), and there is little chance anyone could connect it back to you even if they did manage to get a hold of the code in a breach.

Both vendors don’t have the largest server networks (that title is shared by Hotspot Shield, Private Internet Access, ExpressVPN and CyberGhost). But each of these are owned by corporate entities that play fast and loose with your private data (Aura and Kape Technologies). If you want to spend more time understanding the privacy issues, check out Yael Grauer’s excellent analysis for Consumer Reports Digital Lab here.

Not on my recommended list is the VPN that I have been using for the past several years — ProtonVPN (shown above). I am of two minds here. On the plus side, I have a fond spot in my nerd heart for Proton, the Swiss company that was an early proponent of encrypted email. But the VPN product is slower, more expensive, harder to use and more of an “OG” VPN that requires emails and credit cards to subscribe. Yael’s report also mentions some privacy difficulties with the service, as well as those well-advertised services mentioned above that have leaked data or aren’t as transparent as they claim to be.

If you leave home, you need to run some kind of VPN. Period.