CSOonline: Understanding risk-based authentication

Posted on by
Reply

The last time I bought a suit was several years ago, in advance of my daughter’s wedding. Back in the 80s and perhaps 90s, I would wear a suit whenever I travelled or spoke at a conference. These days, not so much on either travel or suit-wearing. I actually bought two suits (whadda deal!) and I was pretty happy with the process until it came time to pay. My credit card was immediately declined. I certainly had plenty of credit limit (I think the total purchase was about $1000) but the algorithms used by my bank kicked back the transaction because it had been ages since I last bought a suit, or bought anything at a retail store for that amount of money.

This process to question my transaction is called risk-based authentication (RBA), and it has become quite common, particularly as criminals get better at compromising our accounts and as we continue to reuse our banking passwords that get phished and posted across the dark web. The banks have gotten better at investing in this tech so as not to have many false positive flags (such as my suit purchase) based on all sorts of factors. In my case, I probably still would have been challenged because I was at a location not close to my home and in a store that I hadn’t been in before. But the RBA can incorporate all sorts of other factors, such as the hardware you are using on your phone (if that is involved in the transaction), whether your typing cadence has changed (such as someone else using your computer or using a clone of your phone number), or a pattern of multiple purchases that were made earlier that day or from “impossible travel” where multiple IP addresses that are located at great distances use the same login credentials (of course, you have to be careful someone isn’t using a VPN here).

Speaking of impossible travel, back when I did travel internationally I had to remember to login to my banks and tell them where I was going. One time I forgot and my credit card dinner purchase was declined. Now most banks don’t need you to do this, thanks to better RBA.

The three credit bureaus (Experian, Equifax and Transunion) have all bought various RBA vendors over the years (41st Parameter, Kount and Iovation, respectively). Both Lexis/Nexis and Mastercard have their RBA tech too (ThreatMetrix and NuData Security). What is interesting about this group is that they handle millions of financial transactions each day, or each hour, so they can spot fraud trends more quickly. RBA has quickly grown from some wonky security tech into the more mainstream precisely for this reason.

This week I wrote a story for CSOonline where I take a closer look at 12 different RBA vendors’ offerings. I have studied these products for years, and am glad to see continued progress in their features and usability. One example is the latest offering from Ping Identity, called PingOne DaVinci. This is an identity orchestration tool that can be used to create automation routines using Visio-like flowchart diagrams. This is a big benefit, because setting up risk escalation scenarios using interlocking rule sets and policies can be difficult to debug.

Avast blog: Avoid fake Windows 11 offers with these tips

Posted on by
Reply

If you’ve recently received an email recommending that you upgrade to Windows 12, you probably had enough spidey-sense to delete it. You should realize this is a fake or a come-on for some piece of malware that was about to infect your computer. But what about if you got a message asking you to upgrade to Windows 11? Security researchers have tracked a malicious campaign that made use of a legitimate-sounding “windows-upgraded” domain (don’t worry, it has been neutralized since) which was used to spread RedLine Stealer malware by running a fake installer.

In my blog post for Avast, I describe the scam and ways you can check to make sure you are downloading the legit Win11 upgrade package.

Time for some privilege management

Posted on by
2

Working in infosec, we use the term “privilege access management” to refer to security tools that determine which users have what kinds of rights to access particular applications, devices and networks. But when I read this recent Protocol story (that is the name of the online pub, btw) about a tech writer who turned down a potential job with a software firm because they were using Teams (that is the name of the Microsoft software, btw), I had to stop and think about this.

This is what the Great Resignation has come to? Granted, I am not a big fan of Teams but heck, that would not be a dealbreaker when I would consider joining a company.  At least they aren’t using AOL IM, which was the messaging standard — even for corporations — back in 2006 when I wrote this story for the NY Times.

But still. I guess in these days where it is a job seeker’s market, you don’t have to check your privilege at the Teams web portal, to inelegantly coin a new phrase.

Back in the olden times — say the early 90s — people who wanted to use Macs had trouble getting them purchased for their corporate desktop or laptop of choice. Thankfully we have all moved on from that era. So I guess it was only a matter of time before someone, as misguided as the dude in the Protocol story, would vote with his feet or keyboard or whatever and seek employment elsewhere.”The vibes are off.” What, is he also a music critic?

Now, being a member of the tech writing community I am embarrassed about this. And unlike the Mac/Windows dichotomy of yore, we are talking about the software this potential privileged person will use to connect to his peers. And a collaborative piece of software: this is something that everyone has to use to derive value.

Remember how tech companies used to lure candidates by having free food prepared by on-site chefs, well tricked-out workout rooms, and snack closets that could compete with Trader Joes? Now I guess this means that companies will have to offer Slack safe spaces now (or whatever piece of software offends the next potential new hire). It is a sad day indeed for all of us.

Avast blog: How the IRS can do better with its digital identity program

Posted on by
Reply

The US’ tax collection agency, the Internal Revenue Service (IRS), has changed course with its short-lived identity verification system that was only recently implemented. Last November, the vendor ID.me was awarded a $86 million contract to provide the exclusive authentication for all online IRS accounts. Until then, the IRS had its own account authentication service that was based on credit reporting data. The older system was to be phased out this summer.

This week, things came to a head and the IRS decided to ditch their ID.me solution. I describe the chain of events, why ID.me was such a lightning rod, and what are some ways that they can gain some traction and show leadership in the decentralized identity space in my latest blog for Avast here.  

Infoworld: How Roblox fixed a three-day worldwide infrastructure outage

Posted on by
Reply

Last October the gaming company Roblox’s online network went down, an outage that lasted three days. The site is used by 50M gamers daily. Figuring out and fixing the root causes of this disruption would take a massive effort by engineers at both Roblox and their main tech supplier, HashiCorp. The company eventually posted an amazing analysis on a blog post at the end of January. Roblox got bitten by a strange coincidence of several events. The processes they went through to diagnose and ultimately fix things is instructive to readers that are doing similar projects, and especially if you are running any large-scale IaC installations or are a heavy user of containers and microservices across your infrastructure.

There are a few things to be learned from the Roblox outage that I discuss in my latest story for Infoworld.

Avast blog: How to protect your network from a future attack

Posted on by
Reply

A new report on how to protect your networks from attack can be a helpful document that covers a lot of different bases within the cybersecurity landscape. The report, Proactive Preparation and Hardening to Protect Against Destructive Attackswas written by several cybersecurity analysts “based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents,” in the words of the authors.

It contains hundreds of tips for protecting Windows deployments, including command-line strings, adjusting various group policy parameters, and other very practical tips that could indicate potential compromised systems.

I summarize a few of the more important ones in my blog post for Avast.

The evolution of internet faxing

Posted on by
2

Almost 30 years ago, two computer geeks – Marshall Rose and Carl Malamud — put together the first wide-scale attempt at sending faxes over the internet. In the beginning, it was fairly modest, with service reaching a few select cities in the USA and Canberra Australia. The two geeks were fans of the campy 1960’s movie “The President’s Analyst” which was why they named their venture TPC.INT. If you haven’t ever seen a .INT domain name, here is a list of them according to Wikipedia, they are websites for various international organizations. In true Rose/Malamud fashion, they wrote a series of internet RFCs (here is one) to document how the thing worked. (Here is a short history of TPC.INT domain and here is a collection of the first set of faxes they received at their launch.) It relied on a series of volunteers who would have internet-connected computers that would connect to a standard phone line and make local fax calls (this was before long distance VOIP lines were common, let alone cell phones) and make a call to an actual fax machine. The duo called TPC “an experiment in remote printing” because that was the concept: sending a document to a fax-based “printer” that was located at some other place in the world.

While TPC was getting together, PC component vendors were building in fax modems as part of their overall modem electronics. For those of you that think a modem is what connects you to the internet through your cable or DSL provider, back in the dial-up days we had modems that plugged into ordinary analog phone lines. One of the first successes was add-in board from Intel that was called SatisFAXtion. This allowed you to fax directly from your DOS applications. Here is a box shot of the adapter.

Anyway, those early experiments brought about an entire service industry that is now dominated by the likes of eFax and jFax. While TPC was just for sending faxes via email (and later via a web browser), these services have expanded to also receiving them (via a fax-to-email interface) and using a variety of modalities, including your mobile phone, cloud storage and dedicated clients.

Along the way, I wrote a few articles for businesses that wanted to use these services, such as “Faxing on the Go” in 1999 for Computerworld and another column for PC World about their basics in 2009. For years I maintained a table comparing services on my website, but given that there are so many places to find more in-depth reviews of these services (including PC Magazine, Tom’s Hardware, and NYTimes’ Wirecutter, just to name three), I gave up trying to keep the table current. If you are looking for an internet fax provider take a look at the Tom’s review. If you scroll down, they will help you frame your decision (do you need multiple inbound fax numbers, custom cover pages, searchable archives, and so forth). The two services that I currently use are eFax (I got on board their free service and still have a working inbound fax number) and FaxZero (which is great for the once-in-a-blue-moon frequency that I need to send faxes). The three review sites have their favorites based on various criteria.

Why was I thinking about internet fax? Last week I was opening a new IRA account. I began with a simple online application, then I needed to send in some documents to the bank. My delivery choices were as follows:

  • A secure file upload web portal
  • Sending regular postal mail with my check (not a good idea, given the state of the USPS these days)
  • Sending an overnight letter (to a different address than above, of course)
  • Or sending a fax.

If I used the portal or fax, I would need to talk to a bank representative to provide my existing bank account that they could use to collect the funds. I chose the portal. The experience was far from seamless, which is more a matter of why fax continues to this day. It seems when I have to deal with a bank, an insurance company, or a doctor’s office, all of them still use faxes.

Certainly, we have come a long way since those early days when fax machines used special paper that would fade in strong sunlight. And while there are a number of ways to securely send files (as I wrote about recently for The Verge here), sending a fax is still a lot easier.

Avast blog: School cybercrime attacks are on the rise

Posted on by
Reply

You may have heard the term “script kiddies”, which usually refers to adults who hack into business networks. However, lately there has been a significant rise in cybercrime attacks from actual school-age children. A new report from the UK’s National Crime Agency has found the average age for DDoS hackers has dropped to 15, with some students being as young as nine years old. The issue is that DDoS attacks are easy enough for even a kid to carry out.

You can read my analysis of the trend and what the UK is doing to stem the tide here in a blog for Avast.

Book review: Ahead of the Game

Posted on by
Reply

As someone deeply steeped in the tech industry, I am embarrassed to admit that reading Ahead of the Game by Kevin Ryan (a business tech reporter) is the first time I have heard of Delane Parnell and his rise to run one of the most successful startups of the modern era. His company, PlayVS, has grown into an eSports powerhouse, and Parnell’s origin story is told with lots of verve and interest in this book.

Parnell showed early signs that he was going to be a great business leader. As a teenager, he leveraged his way from working in a cell phone store to becoming a partner and owning several of them in his native Detroit.

When he funded his first venture round, he was the third largest such round by a Black-owned business. PlayVS was responsible for recruiting thousands of high school gamers to participate in the first ever varsity-level gaming contests, with almost half of the players being in their first after-school activity ever. The story shows the numerous obstacles that the venture capital world — like the rest of society — places on successful Black entrepreneurs and how Parnell managed to overcome them to build his company. For all potential entrepreneurs, this is a must-read book.

My former boss Jason Calacanis interviewed Parnell at the beginning of the Covid pandemic in April 2020 on This Week in Startups. If you don’t want to read the book, you can watch the interview, where Parnell talks about going to Jason’s Launch event as a teenager and getting inspired by the conference and meeting other startups.

CSOonline: how to run an effective red/blue team exercise

Posted on by
Reply

In the arsenal of cybersecurity defenses is the series of exercises that go by the name of red team/blue team simulated attack. These simulations are purposely designed to closely mimic actual real-world conditions. For example, one of the red team members would take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.

In this piece for CSOonline, I discuss the difference between the various colored designations, why you would want to conduct these exercises, and some recommended steps to take to pull this off.

Linode has published an excellent series of red team exercises that is worth looking at.