Avast blog: Countering disinformation requires a more coordinated approach

Posted on December 28, 2021 by dstrom

The US Cyberspace Solarium Commission’s latest report, entitled Countering Disinformation in the US, is the latest analysis to come from this two-year-old bipartisan Congressional think tank. The report, which was released earlier this month, takes a closer look at the way disinformation is spread across digital networks and proposes a series of policy actions to slow its spread using a layered defense.

Whether or not the US Congress will take up these recommendations is hard to say. Certainly, the current hyper-partisan split won’t make it easier. You can see the move away from bipartisan bill sponsorship as documented by the report in the graph above. You can read more in my post for Avast here.

Infoworld: What app developers need to do now to fight Log4j exploits

Posted on December 27, 2021 by dstrom

Earlier this month, security researchers uncovered a series of major vulnerabilities in the Log4j Java software that is used in tens of thousands of web applications. The code is widely used across consumer and enterprise systems, in everything from Minecraft, Steam, and iCloud to Fortinet and Red Hat systems. One analyst estimate millions of endpoints could be at risk.

There are at least four major vulnerabilities from Log4j exploits. What is clear is that as an application developer, you have a lot of work to do to find, fix, and prevent log4j issues in the near-term, and a few things to worry about in the longer term.

You can read my analysis and suggested strategies in Infoworld here.

Tech and Main podcast: Let’s talk about passwordless

Posted on December 26, 2021 by dstrom

I am back on Shaun St. Hill’s Tech and Main podcast, this time talking about the benefits and frustrations of using passwordless technologies. There are some signs of hope, particularly with new tools that don’t require you to type in one-time codes but can recognize your smartphone’s intrinsic hardware to help authenticate you. Of course, this means you need a smartphone for every employee.

Biznology: An update on women in tech

Posted on December 23, 2021 by dstrom

Eight years ago, I attended a conference (remember doing that in person?) and had a chance to hear from some pretty amazing speakers, many of them women. The conference, Strangeloop, was notable for their number in the tech field which so often diminishes the contributions of women and POC. I happened upon the piece that I wrote and asked the women I interviewed if they had more recent experiences that they would like to share with my readers. Sadly, while there has been some progress, it isn’t much.

You can read the story in Biznology here.

Retaining my back catalog

Posted on December 20, 2021 by dstrom

Taylor Swift and I have something in common: we both are having trouble retaining our back catalogs. In her case, she is busily re-recording her first six albums since the originals are now under the control of a venture-backed investment group. In essence, she is trying to devalue her earlier work and release new versions that improve upon the recordings. In my case, I am just trying to keep my original blog posts and other content available to my readers, despite the continued effort by my blog editors to remove this content. Granted, many of these posts are from several years ago, back when we lived in simpler times. And certainly a lot of what I wrote about then has been eclipsed by recent events or newer software versions, but still: a lot hasn’t. Maybe I need to add more cowbell, or sharpen up the snare drums. If only.

I realize that many of my clients want to clean up their web properties and put some shiny new content in place. But why not keep the older stuff around, at least in some dusty archive that can still receive some SEO goodness and bring some eyeballs into the site? Certainly, it can’t be the cost of storage that is getting in the way. Maybe some of you have even done content audits, to determine which pieces of content are actually delivering those eyeballs. Good for you.

Although that link recommends non-relevant content removal, which I don’t agree. I think you should preserve the historical record, so that future generations can come back and get a feel for what the pioneers who were making their mark on the internet once said and felt and had to deal with.

Some newspaper sites take this to the extreme. In July 2015, the venerable Boston Globe newspaper sent out a tweet with a typo, shown here. Typos happen, but this one was pretty odd. How one goes from “investigate” to “investifart” is perhaps a mystery we will never solve, but the Globe was a good sport about it, later tweeting, “As policy we do not delete typographical errors on Twitter, but do correct#investifarted…” Of course, #investifarted was trending before long. The lesson learned here: As long as you haven’t offended anyone, it’s ok to have a sense of humor about mistakes.

Both Tay and I are concerned about our content’s legacy, and having control over who is going to consume it. Granted, my audience skews a bit older than Tay’s – although I do follow “her” on Twitter and take her infosec advice. At least, I follow someone with her name.

I have lost count on the number of websites that have come and gone during the decades that I have been writing about technology. It certainly is in the dozens. I am not bragging. I wish these sites were still available on something other than archive.org (which is a fine effort, but not very useful at tracking down a specific post).

I applaud Tay’s efforts at re-recording her earlier work. And I will take some time to post my unedited versions of my favorite pieces when I have the time, typos and investifarts and all.

In any event, I hope all you stay healthy and safe this holiday season.

An update on deepfake video threats

Posted on December 13, 2021 by dstrom

What has happened in the world of deepfake videos? Since I wrote about the creation and weaponization of them back in October 2020 for Avast’s blog, there have been a number of virtual conferences and new algorithms that have been developed to create these odd pieces of media. There is surprisingly a very bimodal consensus: either the sky is falling and we are all about to be subjects of revenge porn and various misinformation campaigns; or that things haven’t (yet) gotten out of hand and the tech is still in early stages. I will let you be the judge, but will give you a few places that you can start your own research.

Chicken Little (2005) | MovieWeb One blog post that I read on the ethics of “synthetic media” (that is what the people who write the deepfake algorithms call their work product to make it sound more legitimate) compared the deepfake world with the introduction of the Kodak camera back 130 years ago. Back then, folks were worried about image manipulation by newbie photographers, and whether we could use photos to show anything other than the literal, “real” state of the world. The chicken little scenarios didn’t materialize, and now we all walk around with digital cameras that carry multiple lenses and built-in effect filters that previously were only found on the higher-end pro gear.

Still, there is no doubt that the tech will get better: check out this timeline from one of the deepfake scanning vendors that claims “the technology was developed so fast that now bad actors can create realistic synthetic videos easily.” That perspective was reinforced with this report earlier this summer from Threatpost, which warned that a “drastic uptick in deepfake tech is happening.” There are plenty of deepfake algorithms out there, as Shelly Palmer recently cataloged.

Hold on. Yes, the tech has been developing quickly, thanks to some amazing AI that can deploy huge computing power. But the fakes aren’t really at the point to start wars or create bank panics. Instead, we have seen numerous cyberattacks that make use of synthetic voice recordings (think your boss leaving you a voicemail saying to make a particular payment to a hacker), according to presenters at a June conference.

And many predicted deepfake disasters haven’t really materialized. A celebrated case of a deepfake cyberbullying mom who sent videos to the cheer squad and coach of her daughter’s team turned out to be based on more mundane image manipulation.This could be a wake-up call to have better cyberbullying laws and how to prove these cases too.

I stand with the skeptics (are you really surprised) and suggest you proceed with caution. No doubt as the tech improves the threats will quickly follow, and perhaps we’ll see that happening in 2022. Don’t yet hit the panic button, but instead prepare yourself for potential attacks that could compromise facial and voice ID security measures.

The Verge: How to recover when your Facebook account is hacked

Posted on December 7, 2021 by dstrom

Hopefully the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control. Let me take you through the recovery process and provide some proactive security pointers that you should follow to prevent this awful moment from happening, or at least reduce the chances that it will.

In this post for The Verge, I explain the three different scenarios (a friend borrows your account, someone uses your photo on a new account, or you truly have been hacked) and how you can try to get your social life back. It isn’t easy, it could cost you a lot of time and a bit of money, and there are steps you should take to protect yourself now that will reduce the chances that your account will become compromised — such as removing any payment methods that you may have forgotten about, as shown above.

And if you would rather listen to my descriptions, my podcasting partner Paul Gillin interviewed me on this subject in a recent 16-minute episode.

CNN Underscored: Review of the best USB-C charging blocks

Posted on November 30, 2021 by dstrom

With USB-C finally more-or-less standard across phones, tablets and laptops, and fewer and fewer manufacturers including chargers in the box with their products, a myriad of charging blocks have become available that promise to get your batteries topped up as quickly as possible.

To find the best USB-C charger for your devices, we tested 15 devices from respected manufacturers to find the best for your needs, whether you need to charge a phone, a laptop, or a bagful of accessories. My top pick was the PowerPort Atom III Slim — it has a single USB-C port, and is rated at 45W (there are older versions still on the market that are rated at 30W, so make sure you are getting the higher capacity unit). We liked the smaller footprint slim design, which combines a slimer unit (5/8” thick) with a folding power prong. These make fitting it behind furniture (or carrying in your travel bag) easier.

You can read my review of these chargers here for CNN’s Underscored site.

Avast blog: Fighting stalkerware

Posted on November 26, 2021 by dstrom

Two years ago, the Coalition Against Stalkerware was founded by ten organizations. Today, Avast is one of more than 40 members, which include technology vendors, NGOs, academia, and police organizations from various countries. The goal of the coalition is to put a stop to domestic violence abuse and cyberstalking. In honor of the coalition’s recent second anniversary, I take a look at the international alliance’s ongoing work and achievements to date in this post for Avast’s blog.

The Coalition has lots of useful resources, including a condensed fact sheet for stalkerware survivors. There are guidelines on how to decide if your devices have been compromised or if there are other ways an abusive partner is stalking your digital life. The fact sheet also contains important information on how to remove such software as well as links to organizations that provide additional support.

CSOonline: 9 cloud and on-premises email security suites compared

Posted on November 22, 2021 by dstrom

Email remains the soft underbelly of enterprise security because it is the most tempting target for hackers. They just need one victim to succumb to a phishing lure to enter your network. Phishing (in all its forms) is just one of many attacks that can leverage a poorly protected email infrastructure. Account takeovers (due to reused passwords), business email compromises, payment fraud, specialized mobile malware, and spam messages that contain hidden malware or poisoned web links. That places a heavy burden on any email security solution.

I have been testing and writing about these products for decades and in this roundup I touch on some of the latest integrations and innovations with nine security suites:

Abnormal Security’s Integrated Cloud Email Security
Area 1’s Horizon
Barracuda Email Protection
Cisco Secure Email
FireEye Email Security
Voltage SecureMail
Mimecast Email Security
Trustifi
Zix Secure Cloud Email Security Suite

As what seems like the usual operating procedure, figuring out the pricing for the numerous configurations can be vexing, with one vendor (FireEye) not providing pricing, and several other vendors who declined to participate entirely.

You can read my full roundup for CSOonline here.

Web Informant

David Strom's musings on technology