Avast blog: A 2022 update on data privacy legislation

Posted on by
Reply

Last year, Mississippi didn’t pass its privacy bill and more than a dozen states had bills that are still under consideration. Iowa, Indiana, and Oklahoma are all in the process of moving various privacy bills through their legislatures, and several other states have begun to consider new laws. Also, seven states are considering biometric information privacy legislation.

The most comprehensive source remains the above annotated map from Husch Blackwell, which will link you to each state’s legislation. If you are looking for more analysis, this page from the National Conference of State Legislatures has more contextual explanations.

In my latest post for Avast, I review some of the recent developments and further refinements on the three states that have enacted privacy legislation — California, Colorado and Virginia.

An open letter to Gov. Mike Parson

Posted on by
10

Several months ago, our governor began an attack on Josh Renaud, a reporter for our local newspaper, the St. Louis Post-Dispatch, about an article that he wrote about a vulnerability he found in a state website. Since then there has been plenty of coverage by the paper, including the latest events this week showing the governor’s efforts were wrong, misplaced, and counter-productive. (And Brian Krebs also covered it this week as well.) I exchanged some email with Renaud, and he suggested I use my platform to explain my POV and shed some light on what happened. So here goes a letter that I will also send to Parson.

Dear Governor Parson:

The hardest thing about being a great leader is to admit you made a mistake. I am writing to try to convince you that your course of action in trying to prosecute Josh Renaud and the St. Louis Post/Dispatch is not just wrong-headed but taking our state down a dangerous path.

As a computer security technologist and reporter, here is my perspective. First, the state education website that was identified by Renaud had major security weaknesses as it was originally constructed, because it could easily reveal Social Security numbers. The recent police report documents these were in place for a decade when the site was constructed. Renaud was actually doing the state a favor by identifying this weakness, and the agency was given time to fix this vulnerability before the Post was going to publish his story. Think of it as building a house without a proper foundation.

Second, the county prosecutor was doing the right thing by declining prosecution. There was no crime committed by anyone here, which was further corroborated by the police investigation.

Third, by continuing to refer to the vulnerability as a hack you don’t really understand the nature of either the vulnerability or what hackers or journalists do. The best way for the state to “continue to work to ensure [data] safeguards and prevent unauthorized hacks,” as your office stated, is for journalists and other third parties to uncover these vulnerabilities so that bad actors can’t take advantage of them. As the state agency recently stated, Renaud accessed “open public data” that would be available to anyone.

Your statements about “hacking” is where you do more harm to the state – both perceptually in the greater computer security community and also in terms of journalists who are trying to report on these vulnerabilities in the future. By using the power of your office with promoting these sham investigations, you also make it more difficult for journalists and security researchers to do their jobs in the future when they find other computer security vulnerabilities. As others have already mentioned, numerous tech companies have “bug bounty” programs in place to encourage researchers to find exactly these vulnerabilities that Renaud found and gladly pay them too!

Renaud could have published his story prior to the state’s fixing the vulnerability. But he tried to work with the state agency to fix the problem he found.  He acted responsibly and honorably. It is time to admit your mistakes in both your language and intent and thank him for protecting the data of our citizens.

CSOonline: Understanding risk-based authentication

Posted on by
Reply

The last time I bought a suit was several years ago, in advance of my daughter’s wedding. Back in the 80s and perhaps 90s, I would wear a suit whenever I travelled or spoke at a conference. These days, not so much on either travel or suit-wearing. I actually bought two suits (whadda deal!) and I was pretty happy with the process until it came time to pay. My credit card was immediately declined. I certainly had plenty of credit limit (I think the total purchase was about $1000) but the algorithms used by my bank kicked back the transaction because it had been ages since I last bought a suit, or bought anything at a retail store for that amount of money.

This process to question my transaction is called risk-based authentication (RBA), and it has become quite common, particularly as criminals get better at compromising our accounts and as we continue to reuse our banking passwords that get phished and posted across the dark web. The banks have gotten better at investing in this tech so as not to have many false positive flags (such as my suit purchase) based on all sorts of factors. In my case, I probably still would have been challenged because I was at a location not close to my home and in a store that I hadn’t been in before. But the RBA can incorporate all sorts of other factors, such as the hardware you are using on your phone (if that is involved in the transaction), whether your typing cadence has changed (such as someone else using your computer or using a clone of your phone number), or a pattern of multiple purchases that were made earlier that day or from “impossible travel” where multiple IP addresses that are located at great distances use the same login credentials (of course, you have to be careful someone isn’t using a VPN here).

Speaking of impossible travel, back when I did travel internationally I had to remember to login to my banks and tell them where I was going. One time I forgot and my credit card dinner purchase was declined. Now most banks don’t need you to do this, thanks to better RBA.

The three credit bureaus (Experian, Equifax and Transunion) have all bought various RBA vendors over the years (41st Parameter, Kount and Iovation, respectively). Both Lexis/Nexis and Mastercard have their RBA tech too (ThreatMetrix and NuData Security). What is interesting about this group is that they handle millions of financial transactions each day, or each hour, so they can spot fraud trends more quickly. RBA has quickly grown from some wonky security tech into the more mainstream precisely for this reason.

This week I wrote a story for CSOonline where I take a closer look at 12 different RBA vendors’ offerings. I have studied these products for years, and am glad to see continued progress in their features and usability. One example is the latest offering from Ping Identity, called PingOne DaVinci. This is an identity orchestration tool that can be used to create automation routines using Visio-like flowchart diagrams. This is a big benefit, because setting up risk escalation scenarios using interlocking rule sets and policies can be difficult to debug.

Avast blog: Avoid fake Windows 11 offers with these tips

Posted on by
Reply

If you’ve recently received an email recommending that you upgrade to Windows 12, you probably had enough spidey-sense to delete it. You should realize this is a fake or a come-on for some piece of malware that was about to infect your computer. But what about if you got a message asking you to upgrade to Windows 11? Security researchers have tracked a malicious campaign that made use of a legitimate-sounding “windows-upgraded” domain (don’t worry, it has been neutralized since) which was used to spread RedLine Stealer malware by running a fake installer.

In my blog post for Avast, I describe the scam and ways you can check to make sure you are downloading the legit Win11 upgrade package.

Time for some privilege management

Posted on by
2

Working in infosec, we use the term “privilege access management” to refer to security tools that determine which users have what kinds of rights to access particular applications, devices and networks. But when I read this recent Protocol story (that is the name of the online pub, btw) about a tech writer who turned down a potential job with a software firm because they were using Teams (that is the name of the Microsoft software, btw), I had to stop and think about this.

This is what the Great Resignation has come to? Granted, I am not a big fan of Teams but heck, that would not be a dealbreaker when I would consider joining a company.  At least they aren’t using AOL IM, which was the messaging standard — even for corporations — back in 2006 when I wrote this story for the NY Times.

But still. I guess in these days where it is a job seeker’s market, you don’t have to check your privilege at the Teams web portal, to inelegantly coin a new phrase.

Back in the olden times — say the early 90s — people who wanted to use Macs had trouble getting them purchased for their corporate desktop or laptop of choice. Thankfully we have all moved on from that era. So I guess it was only a matter of time before someone, as misguided as the dude in the Protocol story, would vote with his feet or keyboard or whatever and seek employment elsewhere.”The vibes are off.” What, is he also a music critic?

Now, being a member of the tech writing community I am embarrassed about this. And unlike the Mac/Windows dichotomy of yore, we are talking about the software this potential privileged person will use to connect to his peers. And a collaborative piece of software: this is something that everyone has to use to derive value.

Remember how tech companies used to lure candidates by having free food prepared by on-site chefs, well tricked-out workout rooms, and snack closets that could compete with Trader Joes? Now I guess this means that companies will have to offer Slack safe spaces now (or whatever piece of software offends the next potential new hire). It is a sad day indeed for all of us.

Avast blog: How the IRS can do better with its digital identity program

Posted on by
Reply

The US’ tax collection agency, the Internal Revenue Service (IRS), has changed course with its short-lived identity verification system that was only recently implemented. Last November, the vendor ID.me was awarded a $86 million contract to provide the exclusive authentication for all online IRS accounts. Until then, the IRS had its own account authentication service that was based on credit reporting data. The older system was to be phased out this summer.

This week, things came to a head and the IRS decided to ditch their ID.me solution. I describe the chain of events, why ID.me was such a lightning rod, and what are some ways that they can gain some traction and show leadership in the decentralized identity space in my latest blog for Avast here.  

Infoworld: How Roblox fixed a three-day worldwide infrastructure outage

Posted on by
Reply

Last October the gaming company Roblox’s online network went down, an outage that lasted three days. The site is used by 50M gamers daily. Figuring out and fixing the root causes of this disruption would take a massive effort by engineers at both Roblox and their main tech supplier, HashiCorp. The company eventually posted an amazing analysis on a blog post at the end of January. Roblox got bitten by a strange coincidence of several events. The processes they went through to diagnose and ultimately fix things is instructive to readers that are doing similar projects, and especially if you are running any large-scale IaC installations or are a heavy user of containers and microservices across your infrastructure.

There are a few things to be learned from the Roblox outage that I discuss in my latest story for Infoworld.

Avast blog: How to protect your network from a future attack

Posted on by
Reply

A new report on how to protect your networks from attack can be a helpful document that covers a lot of different bases within the cybersecurity landscape. The report, Proactive Preparation and Hardening to Protect Against Destructive Attackswas written by several cybersecurity analysts “based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents,” in the words of the authors.

It contains hundreds of tips for protecting Windows deployments, including command-line strings, adjusting various group policy parameters, and other very practical tips that could indicate potential compromised systems.

I summarize a few of the more important ones in my blog post for Avast.

The evolution of internet faxing

Posted on by
2

Almost 30 years ago, two computer geeks – Marshall Rose and Carl Malamud — put together the first wide-scale attempt at sending faxes over the internet. In the beginning, it was fairly modest, with service reaching a few select cities in the USA and Canberra Australia. The two geeks were fans of the campy 1960’s movie “The President’s Analyst” which was why they named their venture TPC.INT. If you haven’t ever seen a .INT domain name, here is a list of them according to Wikipedia, they are websites for various international organizations. In true Rose/Malamud fashion, they wrote a series of internet RFCs (here is one) to document how the thing worked. (Here is a short history of TPC.INT domain and here is a collection of the first set of faxes they received at their launch.) It relied on a series of volunteers who would have internet-connected computers that would connect to a standard phone line and make local fax calls (this was before long distance VOIP lines were common, let alone cell phones) and make a call to an actual fax machine. The duo called TPC “an experiment in remote printing” because that was the concept: sending a document to a fax-based “printer” that was located at some other place in the world.

While TPC was getting together, PC component vendors were building in fax modems as part of their overall modem electronics. For those of you that think a modem is what connects you to the internet through your cable or DSL provider, back in the dial-up days we had modems that plugged into ordinary analog phone lines. One of the first successes was add-in board from Intel that was called SatisFAXtion. This allowed you to fax directly from your DOS applications. Here is a box shot of the adapter.

Anyway, those early experiments brought about an entire service industry that is now dominated by the likes of eFax and jFax. While TPC was just for sending faxes via email (and later via a web browser), these services have expanded to also receiving them (via a fax-to-email interface) and using a variety of modalities, including your mobile phone, cloud storage and dedicated clients.

Along the way, I wrote a few articles for businesses that wanted to use these services, such as “Faxing on the Go” in 1999 for Computerworld and another column for PC World about their basics in 2009. For years I maintained a table comparing services on my website, but given that there are so many places to find more in-depth reviews of these services (including PC Magazine, Tom’s Hardware, and NYTimes’ Wirecutter, just to name three), I gave up trying to keep the table current. If you are looking for an internet fax provider take a look at the Tom’s review. If you scroll down, they will help you frame your decision (do you need multiple inbound fax numbers, custom cover pages, searchable archives, and so forth). The two services that I currently use are eFax (I got on board their free service and still have a working inbound fax number) and FaxZero (which is great for the once-in-a-blue-moon frequency that I need to send faxes). The three review sites have their favorites based on various criteria.

Why was I thinking about internet fax? Last week I was opening a new IRA account. I began with a simple online application, then I needed to send in some documents to the bank. My delivery choices were as follows:

  • A secure file upload web portal
  • Sending regular postal mail with my check (not a good idea, given the state of the USPS these days)
  • Sending an overnight letter (to a different address than above, of course)
  • Or sending a fax.

If I used the portal or fax, I would need to talk to a bank representative to provide my existing bank account that they could use to collect the funds. I chose the portal. The experience was far from seamless, which is more a matter of why fax continues to this day. It seems when I have to deal with a bank, an insurance company, or a doctor’s office, all of them still use faxes.

Certainly, we have come a long way since those early days when fax machines used special paper that would fade in strong sunlight. And while there are a number of ways to securely send files (as I wrote about recently for The Verge here), sending a fax is still a lot easier.

Avast blog: School cybercrime attacks are on the rise

Posted on by
Reply

You may have heard the term “script kiddies”, which usually refers to adults who hack into business networks. However, lately there has been a significant rise in cybercrime attacks from actual school-age children. A new report from the UK’s National Crime Agency has found the average age for DDoS hackers has dropped to 15, with some students being as young as nine years old. The issue is that DDoS attacks are easy enough for even a kid to carry out.

You can read my analysis of the trend and what the UK is doing to stem the tide here in a blog for Avast.