Network World: New ways enterprises can use VPNs

The pandemic has accelerated the development of better ways to serve and secure remote workers, which make it a good time to re-examine VPNs. Recently VPNs have received technical boosts with the addition of protocol options that improve functionality far ahead of where they were when first invented. At the same time, new security architectures zero trust network access (ZTNA), secure access service edge (SASE), and security service edge (SSE) are making inroads into what had been the domain of remote-access VPNs.

In my latest post for Network World, I talk about ways that VPNs can complete ZTNA.

Printer inks and tractors, and the right to repair

You might recall several years ago when it came time to replace an “empty” Lexmark printer cartridge, you had to purchase a new “authentic” one as a replacement. HP had a similar program. Lexmark was sued (and lost in the Supreme Court) by a third-party ink maker who was blocked by the locking software. (The reason for the quotes is because these cartridges are seldom anywhere near empty, wasting a lot of ink. But let’s stay focused.)

John Deere 8 Series Tractor MY22 updates give farmers more optionsWhat does this have in common with tractors? John Deere has special locking software that prevents farmers from doing their own repairs. This came to light recently when Russian troops stole about US$5M worth of them from Ukraine and brought them to Chechnya. The Ukrainians were able to “brick” the tractors by engaging the software. This is not a coincidence: their software engineers have been hacking Deere tractors for years.

Now, while you may cheer on the Ukrainians, this exposes the dark side of tech called the right to repair. For the past decade, tech companies have come under fire for preventing “unauthorized” repair work on their equipment. Apple is one of the most egregious, you can’t just have anyone fix your gear. But as supply chains stretch and break during the pandemic, we need more flexibility, not less. And typically using the authorized repair folks is nothing more than having an added surcharge to your repair bill. (And if you are a farmer, waiting for the Deere repair dude to drive out to your farm.)

One small victory in this arena has been the unlocking of cellphones. Remember when you had to get permission from your phone vendor if you wanted to port your phone and your number to another carrier? You still need to go through a somewhat dense process, but at least the carriers have to sell you a new unlocked phone. Various states now have laws on their books to mandate rights to repair, but it still is far from universal.

Avast blog: How license plate scanners challenge our data privacy

A security camera at one of ...As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy and efficacy of these tools. Stories have appeared in local newspapers, such as those in St. LouisLouisville and Akron that document the rapid rise of Flock license plate camera data and how it can be a central source of vehicle movements.

These stories highlight some of the privacy implications of APLRs and also recall some of the same issues with the growth of other massive private data collections. In my latest blog for Avast, I describe what’s going with these APLR systems, some of the issues raised by privacy advocates, and how they compare with the DNA/genetic testing data collections.



Avast blog: How to defeat social engineering attacks

ImageIf you have heard of the process of social engineering, the ability of a hacker to trick you into divulging your private details, then you might have come across ethical hacker Rachel Tobac. She’s the CEO of SocialProof Security and board member of Women in Security and Privacy. I virtually attended one of her more recent talks, during which she explained her craft and gave some suggestions on how we all can improve our personal security and make her job more difficult.

Tobac has carried out some notable security stunts in the past, such as live hacking a CNN report’s accounts and stealing his airline points. “I hack so people can understand how hackers think and hopefully you will avoid these mistakes,” she told her audience.

You can read more about her talk — and how to harden your own defenses against social engineering attacks — in my latest blog for Avast here. And if you want to watch a great documentary about the teens behind the 2020 Twitter hack, you can find it streaming on Hulu here,

Avast blog: Just because your iPhone is powered off doesn’t mean it can’t be attacked

Did you know that even when your iPhone is turned off, some of its components are still getting power? Researchers have found this to be one of the reasons why a new attack vector can operate without your knowledge. The issue lies with the iPhone’s Low Power Mode (LPM) and the fact that while using this functionality, certain communications chips continue to operate. Apple’s LPM features were introduced as part of iOS 15 and enable things such as Find My Phone, which can continue to track and function when a phone is turned off. You can find out more about this, and how it stacks up with air-gap research and NSO’s Pegasus, in my latest blog for Avast here.


CSOonline: How to choose a certificate management tool

Many years ago, Madonna sang about sharing her secrets with us. While the IT version may not be as entertaining as what was discussed in that song, there are still important reasons to understand your corporate encryption secrets and how they are provisioned, managed and deployed. The tools to do this go by various monikers, including SSL/TLS certificate or key management tools, machine identity management, or PKI as a service.

These secrets are found all over the IT map, including those for servers, for applications, to encrypt your email messages, for authenticating to connect with IoT devices, to allow you to make edits to a piece of code, and for user identities to have access to a particular shared resource.

cso email security suites table

I mention the above products and some of their important features, along with other aspects  about how to manage your certs in my post for CSOonline here.

Red Cross blog: Brian Mintner Delivers Blood and Much More

Saving lives isn’t just some abstract concept for the American Red Cross. Volunteer Brian Mintner not only delivers lifesaving blood to people he’ll never meet, he is directly responsible for saving one specific life. Brian is the manufacturing transportation supervisor for the Missouri-Arkansas region of the Red Cross, coordinating the movement of blood products collected from donors and ensuring they are transported to various hospital blood banks. He oversees a vast transportation network that, he admits, “is a brutal chain of custody.”

In my blog for the Red Cross, Brian (whom I also work for as I am one of his volunteer drivers) is profiled.

Who killed Shireen?

CPJ calls for swift, transparent investigation into shooting death of  Al-Jazeera's Shireen Abu Akleh while reporting in West Bank - Committee to  Protect JournalistsThe killing of Al Jazeera veteran journalist Shireen Abu Akleh last week has haunted me in the days since it happened. She was covering a raid by Israeli forces in the refugee camp of Jenin in the West Bank. For specifics about what happened, I would urge you to read Bellingcat’s analysis.

The Israelis initially said she was killed by Palestinians, then changed their story to say they weren’t sure who actually fired the fatal shot. Various other sources, including representatives of the Palestinian government and various Al Jazeera reports that have aired in the past week, claim it was Israelis, and done deliberately. These reports state that a sniper took careful aim at Shireen because she was wearing body armor and a helmet. The single shot hit her head just below her ear, which wasn’t protected.

The map shows her position (the red dot at the top), as well as the positions of Army forces and Palestinians. Both groups were similarly armed with M4 assault rifles using the same ammunition. I’ll get back to this in a moment.

What is even sadder about the circumstances surrounding Shireen’s death are the circumstances around her funeral. There were additional clashes with the Israeli army and police at both the hospital morgue and the church where her services were held. I am not going to link to the video clips but let’s just say it is pretty clear that “clashes” is probably not the best descriptor. Tensions and emotions were high, and it was ugly.

There have been 19 journalists killed in Israel (including Gaza and the West Bank) over the past two decades. That link will take you to the Committee to Protect Journalists — two other people have been killed there without confirmed motives. What makes this more personal for me was first, Shireen was a dual American/Palestinian citizen and a journalist. She is buried in the Christian cemetery that I visited three years ago when I was searching for the grave of Oskar Schindler. The route that took her to the cemetery is one that I have frequently walked over my many visits to the city. Finally, I have seen numerous reports of hers over the years that I have watched the Al Jazeera English channel, and admired her reporting and how often she was in the line of conflict. She was amazingly courageous.

Now, figuring out the origins of that bullet aren’t going to be easy. The Israelis and Palestinians don’t want to work together, but to have a definitive answer means you need to test the guns that were used that day. Some of them have been collected, but the chain of custody is probably broken on both the bullet and the weapons. Never has a single bullet carried so much weight since that November day in Dallas when JFK was killed.

I mourn Shireen’s death greatly.

Avast blog: How to make a successful transition to a hybrid work schedule

Employers should migrate to a hybrid environment only after building a solid foundation to support remote workers. As Covid-19 pandemic restrictions have eased, employers are adjusting their work-from-home policies. Some companies, including Airbnb, have doubled down and made substantial commitments to remote working. Others, like Google, have begun to shift to more in-person and hybrid office policies. This range just among the two tech giants is an example of the different possibilities being considered by other employers. According to a 2017 Gallup poll, 43% of U.S. employees worked remotely all or some of the time.

Part of the reason for this difference has to do with how all of us have adjusted to working in the face of the pandemic. I explain more in this post for Avast’s blog.

The changing digital business climate in India

Late last month the Indian CERT issued a ruling directed at improving its breach security. The ruling has some big impact in terms of limiting the privacy of its computer users, and how digital business is conducted there. The news has centered around its effect on VPN operators, but the ruling also affects data center providers and “intermediaries,” which could be any ISP or indeed any digital business that has Indian origin. The ruling isn’t final but is supposed to go into effect next month.

— First, businesses must notify the CERT within six hours of any breach or security incident, and provide any system logs that have to be maintained for six months. These incidents are described across a wide collection of situations, including website defacement, identity theft, DDoS, data theft, wholesale port scans and other attacks. The six-hour window is a pretty tight one, and other geographies have much longer notification periods (The EU’s GDPR is 72 hours for example.), and in some cases, businesses may not even know of a breach during that short time period.

— Second, digital businesses must collect log a variety of user data, including valid names, IP addresses, public encryption keys, emails, physical address and phone contacts. CERT requests that any vendor keep these logs for up to five years. The businesses specifically mentioned in the ruling include remote access vendors, VPN operators, cloud providers and data centers. But it could apply to any company that has a bunch of programmers in India, which is certainly a common situation for perhaps most large international companies.

The actual logs are being collected to enable the CERT to reconstruct individual transactions so they can identify the parties involved. That is a tall order, because it assumes that businesses will have to collect a lot more data about their customers than they have done previously.

As you might imagine, this has thrown many businesses into a tizzy, because of the onerous provisions in this ruling. What is curious is that the role of India’s CERT has moved beyond its lane, which is typically the national agency (our CERT which began its operations in Pittsburgh) that handles breach reporting and makes recommendations when they are observing increases in computer attacks.

The five-year log collection period is what I want to focus on. As I said at the top of this post, the news has mostly focused on VPN providers, and indeed they have reacted with some trepidation. Some have said they might have to forgo their Indian operations. “Forcing VPN providers to track user traffic and their private data is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers,” said Artur Kane, the CMO at VPN provider

The data retention piece of the regulation is also an issue. Part of the issue, as I mentioned in my earlier reviews of VPNs, is that figuring out data retention policies and practices is very difficult, and almost every vendor has problems here. But there is another side as well: “Asking VPN vendors to retain this amount of customer data is without precedent in democratic countries” Kane said.

Many VPN providers have claimed “no logs” as part of their marketing strategies. This is almost as ridiculous and nearly unprovable as their claims for “military-grade encryption.” CNet wrote this piece a few years ago about why you should be so skeptical about these claims — there are numerous types of logs, and numerous ways to collect and dispose of this data. “No matter how much we trust any particular VPN to help mask our internet browsing, it’s virtually impossible to verify whether a VPN truly keeps no logs,” they wrote. I agree. If you want to research this further, read this analysis by Consumer Reports on how many VPNs keep local logs (on your own machine).

While getting better intelligence about cyber attacks is important, the way the Indian CERT is going about this is wrong-headed, and perhaps will prevent many companies from continuing to do business in India.