Avast blog: Fighting stalkerware

Two years ago, the Coalition Against Stalkerware was founded by ten organizations. Today, Avast is one of more than 40 members, which include technology vendors, NGOs, academia, and police organizations from various countries. The goal of the coalition is to put a stop to domestic violence abuse and cyberstalking. In honor of the coalition’s recent second anniversary, I take a look at the international alliance’s ongoing work and achievements to date in this post for Avast’s blog.

The Coalition has lots of useful resources, including a condensed fact sheet for stalkerware survivors. There are guidelines on how to decide if your devices have been compromised or if there are other ways an abusive partner is stalking your digital life. The fact sheet also contains important information on how to remove such software as well as links to organizations that provide additional support.

CSOonline: 9 cloud and on-premises email security suites compared

Email remains the soft underbelly of enterprise security because it is the most tempting target for hackers. They just need one victim to succumb to a phishing lure to enter your network. Phishing (in all its forms) is just one of many attacks that can leverage a poorly protected email infrastructure. Account takeovers (due to reused passwords), business email compromises, payment fraud, specialized mobile malware, and spam messages that contain hidden malware or poisoned web links. That places a heavy burden on any email security solution.

I have been testing and writing about these products for decades and in this roundup I touch on some of the latest integrations and innovations with nine security suites:

  • Abnormal Security’s Integrated Cloud Email Security
  • Area 1’s Horizon
  • Barracuda Email Protection
  • Cisco Secure Email
  • FireEye Email Security
  • Voltage SecureMail
  • Mimecast Email Security
  • Trustifi
  • Zix Secure Cloud Email Security Suite

As what seems like the usual operating procedure, figuring out the pricing for the numerous configurations can be vexing, with one vendor (FireEye) not providing pricing, and several other vendors who declined to participate entirely.

You can read my full roundup for CSOonline here.

What doesn’t get backed up makes you stronger, part deux

I have a couple of confessions to make here. First, my birthday is not January 1. (No I am not going to tell you when it really is). Second, I have been doing a lousy job of backing up my contacts all these years. Welcome to the second part of what is turning out to be a series of posts on what can make your backups stronger. I wrote the first part earlier this year about learning how to backup my Google Authenticator codes when I bought a new phone. Today has actually two challenges. Let’s take the contacts related one first.

For what seems like since the last century, I have been using Google’s now-called Workspace for my main email communications, and also using its Contacts app to store my contacts. Over time I have collected more than 9,000 records in my app. I am sure many of these records are outdated, and every so often I make a half-hearted effort to update people that I come across in LinkedIn that have changed jobs.

Every month or so, I export this contact list into a “Google CSV” file that I dutifully save on my local hard drive. Until today, I have never tried to examine this file to see how it is formatted or even if it contains any useful data. That is the cardinal sin of better backups: Don’t just assume that because you have made a copy of your data that it can be usable.

The reason for doing this is that I came across a Gmail account that I set up long ago that could be used to recover my main email if something should go wrong with my main identity. I don’t use this account for anything, and indeed it had no contact records to prove it. So I thought, this might be a good time to see if I can import my backup contact records. I found out that Gmail is limited to importing only 3,000 contacts per each import. This meant splitting the CSV file into at least four parts. Fortunately, there is an online tool that you can use to do this, and if you don’t have too many requirements, it can be done for free. I had to guess how to split the file up, and luckily I guessed fairly accurately, because I only lost 16 records. It took some trial and error — and liberal use of Gmail’s “undo” feature, before I figured this all out.

Now the hard part is going to be remembering to do this again — sadly, the only way to update my backup contacts is to clear out all of them and start this process all over again. (You can export selected contacts, but I have no way to sort them since a certain date, for example, to do an incremental backup).

Okay, let’s move on to my fake birthday. I did this deliberately as a security measure, to prevent the many people who look me up on The YouTwitFace from getting one piece of data that could be used to compromise my identity. Now, since I did this some of the social media services have placed restrictions on who can see my birthday (as the screen shot here shows The Face’s settings). But I haven’t bothered messing with this until this past week, when I got an assignment to write for The Verge about what happens when your account is hacked. One of the problems is that The Face makes it very hard for you, as the rightful account owner, to prove that you are indeed that person and not some poseur hacker. One of the ways that you are asked to verify yourself is to upload a photo of your ID, showing your actual face and actual birthday. Given that it isn’t 1/1, I will have an issue if at some point I do get hacked and try to present this ID.

Now, I have a choice: I can give Zuck my real birthday and trust that he will not spread it across his universe in the process of selling ads to further target me, or not give out this information and trust that the methods that I have used to protect my account (multiple authentication factors) are sufficient to stop most hacking attempts. I guess I am sticking with 1/1 for now, unless I want to get some fake driver’s license with 1/1 as my birthday that I can use to get into bars and get my account reset.

One other point of discovery as I was rooting around in my account details: I somehow gave The Face access to spend money using my Paypal account. Oopsie. I got rid of that connection quickly. There are two different places you specify this: one called Ads Payments (where they can run ad campaigns and charge you accordingly) and one called Facebook Pay (where you can give money directly to people or causes). You should ensure that the “payment methods” fields are blank in both of them if you don’t want any of your bank account details stored.

So I feel somewhat safer after doing all this, but still not happy that I have to take deeper and deeper dives into protecting my data. I will send you all a note when my piece in The Verge is posted, so you can learn about other ways to better prepare yourself against potential hackers. Spoiler alert: it is not an easy fix.

Avast blog: The report from the third CyberSec&AI conference

Last week, the third annual CyberSec&AI Connected was held virtually. There were many sessions that combined academic and industry researchers along with leaders from Avast to explore the intersection of security and privacy and how AI and machine learning (ML) fit into both arenas. The conference strives to deepen the ties between academia and industry and this report for Avast’s blog dives into new and exciting work being done in various fields.

One of the speakers was Dawn Song, a computer science professor at the University of California at Berkeley. She outlined a four-part framework for responsible data use by AI that includes:

  • Secure computing platforms, such as the Keystone open source secure processor hardware,
  • Federated learning, whereby one’s data stays under their control,
  • Differential privacy, using tools such as the Duet programming language and public data sets such as the Enron email collection, and
  • Distributed ledgers that can have immutable logs to help guarantee security.

Fighting ransomware will require numerous efforts

Ransomware attacks are becoming more numerous and dangerous. According to a recent conference of European law enforcement agencies, ransomware activities have generated $350 million in 2020, a 311% increase from 2019. The site tracks payments and shows more than $45 million in payouts for the first half of 2021, based on public records of the various ransom blockchain transactions and victim reports. 

A Twitter thread by security researcher Ming Zhao shows the depth of the ransomware marketplace and the variety of actors. The flow of funds from victims to criminals, how their attacks have grown, and how the price of cryptocurrency has influenced their actions are revealed in the thread. 

As remote work continues and expands, better ways to secure workers’ connections to and from the organization’s data, both on the cloud and on-premises, are necessary. The risks are further compounded by the too-human inclinations of remote workers to give priority to completing tasks over best-security practices. It is possible for an employee, for example, to use the same password when shopping online and to gain access to critical corporate data from a home office connection. Among more tech-savvy users who should know better, a software deployment might contain code with vulnerabilities because the developer team opted to meet a deadline while forgoing proper security checks for their code before putting the application into production.

For these remote data-access risks, VPNs don’t cut it anymore. They are based on the incorrect assumption that both sides of the VPN tunnel are secure. Since the pandemic began, more corporate workflows traverse the general Internet where they can be more easily compromised. Anyone in an organization can become a target because attackers are looking for weak points in IT infrastructure. 

Added to these trends, Ransomware as a Service organizations have become popular. They make ransomware easier to deploy and more lucrative to operate. And it isn’t just business networks that attract attackers, either. Internet-of-Things (IoT) devices (such as Nest thermostats and connected TVs) and industrial-control systems are targets, too.

Attackers have gone a step further by compromising supply chains. This is what happened to software from SolarWinds and, more recently, with Kaseya VSA. Ransomware attackers now combine the initial encryption attack with follow-up threats to post stolen data from their targets. Security-services provider Emisoft reported in a survey that 11% of ransomware attacks involved data theft during the first half of 2020, a number that continues to rise in 2021.

The feds are trying to stem this tide, what with a variety of executive orders, a two-day international conclave held last month, and the latest attempt to arrest one of the Russian hackers involved in the Kaseya attack. Oddly, REvil, one of the most pernicious of these hacking groups, took down its infrastructure in July. We say odd because no one knows the cause or the details behind the takedown. Whether or not these efforts bear fruit, taken together, they show that fighting ransomware will require many different initiatives and methods at various regulatory levels. This, combined with a variety of protective technologies and tools, will require careful attention to all details across the entire organization and the entire network — as so many attacks have shown, hackers only need to find one weak link to compromise.

Figuring out the Facebook Papers: Who’s Carol Smith?

Illustration of a rabbit coming out from a hole in the ground covered by a bear trap with Facebook emojis scattered across the ground.A consortium of A-list reporters from 17 major American and Euro news outlets have begun publishing what they have learned from the documents unearthed by whistleblower Frances Haugen. The trove is a redacted copy of what was given to various legislative and watchdog US and UK agencies. The story collection is being cataloged over at Protocol here. I haven’t read everything – yet – but here are some salient things that I have learned. Most of this isn’t surprising, given the venality that Zuck & co. have shown over the years.

  1. Facebook indeed favors profits over human safety and continues to do so. This piece for the AP documents how foreign “maids” are recruited on Instagram to come work in Saudi Arabia, and then traded using various Facebook posts once they are in the country. The article talks about current searches for the Arabic word for maids has numerous hits with pictures, ages, and prices of candidates. With all its bluster of billions of dollars spent on tracking down these abuses of its terms of service, this shouldn’t be so easy to find if Facebook was really doing a credible job to stamp this out.
  2. Facebook has played a key role in radicalizing its users. NBC News writes about how internal research identified thousands of QAnon groups covering 2.2M members and nearly a thousand anti-vax groups with 1.7M members. The research attributes this population to what it calls “gateway groups” that recruit more than half of them. Again, the fact that the company’s own researchers could track this – and yet do little to stop the growth of these efforts – is troubling.
  3. The same NBC piece talks about a research project using a strawman “Carol Smith” user. Within days of her creation as a conservative-leaning by Facebook staffers, she was receiving all sorts of pernicious content, including invites to join various QAnon groups and others that clearly violated Facebook’s own disinformation rules. Did they act on this research to prevent this? Not that I could see.
  4. The “Stop the Steal” movement that led to the January 6 Capitol riot was organized through many of Facebook’s properties, pages and groups. CNN reports that one internal memo stated that the company wasn’t able to recognize the people contributing to these efforts in time to stop them, although subsequent algorithmic changes have been put in place to do so. Some content moderation efforts that were put in place prior to the November 2020 election were quickly reversed afterwards and could have helped mute some of the organizers of the January 6 riot.
  5. We might think that Facebook has done a sub-par job vetting American content. But it is far worse elsewhere in the world, as this piece in The Atlantic shows. The data shows 13 percent of Facebook’s misinformation-moderation staff hours were devoted to the non-U.S. countries in which it operates, whose populations comprise more than 90 percent of Facebook’s active users. The moderators hired by Facebook aren’t familiar with the local customs, don’t speak the languages, don’t understand the fragility of their governments or the stability of their internet connections – all things that mean more proportional resources will be needed to do a credible job.

So how can we fix this? I don’t think government regulation is the answer. Instead, it is time for new leadership and better designed algorithms that don’t amplify violence and misinformation. Kara Swisher writes in her current NYT column that “Facebook has been tone-deaf and uncaring about the harm that its own research showed its products were doing, despite ensuing pleas from concerned employees.” She also is lobbying for Zuck’s replacement with a leader who can finally listen to — and act on — these issues.

Another path can be found with the parallel universe being setup by former Facebook data scientists and frustrated middle managers called the Integrity Institute. Whether this will work is an open issue, but it could be a useful start.

FIR podcast episode #151: How Akamai rebuilt its website and drove customer engagement

Few of us get to have as much influence over a more public website than Annalisa Church, VP Digital Technology, Insights & Operations for Akamai.  She has built a career on converging marketing and technology to drive better experiences for customers and build long-term value for enterprises. She is devoted to transforming marketing into a data-driven organization through actionable insights and ensuring the voice of the customer. Prior to Akamai, she worked for eight years in Dell’s marketing department.

Annalisa recently led a massive overhaul of the Akamai website, which is available in nine different languages, with more than 1,200 pages in English covering 18 different products.  The site has tremendous customer engagement, with one million monthly visitors, and almost two-thirds of them become customers after visiting the site.

The diagram below shows some of the changes that Church implemented during her redesign to make it more effective and more relevant to visitors. These efforts have paid off in terms of more engagement, more conversions from visitors to customers, and wider impact.


Listen to our podcast here:

Avast blog: Improving the intersection between privacy and security

At this year’s Avast Data Summit, an internal event primarily intended for Avastians, a combination of Avast leaders and industry thought leaders gave seminars at the intersection of privacy, data, and security.

Many of the topics presented at the event can help you classify, work with, and better secure your data. Following these suggestions can better protect your customers’ privacy and improve your own corporate security profile.

Companies exist in a changing data landscape. There is an evolving collection of data sources and products that are used to produce reports, management objectives, and guide a variety of corporate initiatives such as improving customer experience and product features. The evolution of data means having a group of data curators who determine how trust relationships are determined and what data gets deleted and what is retained. This landscape was illustrated with the below diagram. I cover three main themes from the event: the importance of returning to security basics, understanding the nature of differential privacy, and how to use better tools to measure and improve your privacy and data governance.

You can read my report from the Summit on Avast’s blog here.

How one startup team has created five successful exits

It is an origin story that has been told numerous times: a group of computer nerds meets in college and goes on to build a software startup, eventually selling their company. But this is a story with a twist: four of the team members met more than 20 years ago when they were undergrad engineers at Carnegie Mellon University. Together with a fifth team member they would go on to have five different and successful exits at various tech startups.

The team includes Peter Pezaris (CEO and developer), David Hersh (product manager), James Price (devops), Michael Gersh (marketing/analytics) and latecomer Claudio Pinkus (who joined the others 13 years ago).

Their projects included:

  • Codestream, a devops collaboration platform which was founded in 2017. Earlier this summer, NewRelic announced they were acquiring the company this week.
  • Glip.com, a team collaboration platform acquired by RingCentral in 2015.
  • Multiply.com, a social commerce platform acquired by Naspers in 2010.
  • Commissioner.com, one of the first online fantasy sports platforms, which was acquired by CBS/Sportsline, and
  • Ask.com, acquired by IAC in 2005.

What is intriguing about the group is how well they worked together in these various companies. The group eventually settled into specific roles – Pezaris has been the CEO and chief coder in the last three ventures – and have worked from different locations well before the pandemic made remote work the norm for many of us.

Because the team has been geographically remote, they have tended to focus on building better collaboration tools over the years as they built their various enterprises. This is most obvious with their latest venture, Codestream, a free open-source implementation which allows developers to collaborate on writing code. It works with integrated development environments (IDEs) JetBrains, VS Code and Visual Studio and supports pull requests from GitHub/GitLab and BitBucket and integrates with other code management and messaging tools such as Jira, Slack and Asana.

That is a lot of integration, but the goal was to provide a richer request interface and annotation mechanism to make code reviews more meaningful, and to check out and run builds more quickly. Prior to Codestream, software engineering teams couldn’t easily talk to each other, particularly if they were using different IDEs or code editors and particularly if they wanted to comment on each other’s code in near real-time. The idea for the company was born out of doing cumbersome things, such as taking screenshots of one’s code and then sending it as an attachment in Slack. “This was a natural progression for us to applying messaging to our own daily use case,” said Pezaris. “We wanted to connect coding teams that don’t use the same IDE, especially if they are a larger team. There is always some odd person who is using a different editor.”

One of the notable differences with the team is how they used the Silicon Valley Y Combinator pitch competition to focus their business strategy. “The application process forces you to address how to turn your project into a real business, and by answering the questions it will get you to think more carefully about your market and customer acquisition,” said Pezaris. The team was frustrated because two of their past companies (Multiply and Glip) were precursors of Facebook and Slack respectively, both of which had done better jobs of integrating with Silicon Valley culture and of course had much better market positioning.

This shows that while a great idea can form a solid foundation for a startup, you need more than just the idea and some snappy app. You must put together how to create a business too. The Y Combinator competition brought the Codestream team to this next level.

Initially, they applied to the competition on a whim and almost didn’t finish their application in time. Pezaris told me that he was working on their final piece of their application, to create a one-minute video clip explaining their company. He was working on it in an airport hours before the deadline, and literally uploading the file as he was walking down the jetbridge to board his flight. They were accepted in the winter 2018 class. “While there is a very low chance you will be accepted, it is a golden ticket,” he said.

Another notable aspect of Codestream was how the company was founded on creating an open source offering. There are numerous success stories of other open source efforts that have been acquired by Red Hat, Oracle, and Microsoft, showing that this can sometimes be a pathway towards success.

Finally, the team never anticipated their eventual suitors going into each project. Multiply, for example, was bought by a South African media company that was interested in expanding to customers in emerging markets. “Each acquisition has been very different, and we have tried to stay on after the deal has closed. Some of the acquisitions brought up red flags that turned out to be nothing burgers, but the important point is that we all went through them together,” Pezaris said.