Avast blog: Time to walk away from Amazon’s Sidewalk

Amazon is releasing a new service called Sidewalk, which allows people to share their wireless network with their neighbors over a low-power Bluetooth mesh network. If you want to read more, The main benefit would be expanding the WiFi coverage for low bandwidth devices.  Amazon explains that Sidewalk would enable outdoor devices such as security cameras and smart lamps to stay connected even when wifi connection is lost as they are often at the edge of a home’s wifi coverage.  Additionally, this service can be used for Tile trackers to locate valuables.  While the service is free, there are serious privacy concerns. I’ll tell you why you should walk away in my latest blog for Avast here.

 

CSOonline: Hacking 2FA: 5 basic attack methods explained

Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice. As Roger Grimes wrote in this article about two-factor hacks three years ago, when MFA is done well it can be effective, but when IT managers take shortcuts it can be a disaster. And while more businesses are using more MFA methods to protect user logins, it still is far from universal. Indeed, according to a survey conducted by Microsoft last year, 99.9% of compromised accounts did not use MFA at all and only 11% of enterprise accounts are protected by some MFA method. The pandemic was both good and bad for MFA uptake. I explain more about this, and touch on five ways that MFA can be compromised.

You can read more of my blog post for CSOonline here.

Book review: Chasing the Lion

54860446The workings of a counter-terrorism elite strike force are at center stage in this thriller. The team is threatened by a clever adversary who is taking advantage of the inauguration of a new president just days away. If this sounds like a story that is ripped from current events, it has plenty of realistic passages as the team struggles to figure out what is the exact nature of a threat that combines chemical weapons with potentially mind-altering drugs that could be dispersed across the Washington Mall the day of the inauguration. If you are a Clancy fan you will like the explanations of the military hardware and weaponry but there is a lot of spycraft to keep you entertained too.

Avast blog: The importance of equitable and inclusive access to digital learning

Schools continue to remain closed around the world. A UNICEF analysis last summer found that close to half a million students remain cut off from their education, thanks to a lack of remote learning policies or lack of gear needed to do remote learning from their homes. And as UNICEF admits, this number is probably on the low side because of skill gaps with parents and teachers to help their kids learn effectively with online tools.

While the situation has improved since last year and more kids are back in their actual classrooms, there are still critical gaps in math and reading skills and a wide disparity when country-wide data is compared. The equity/inclusion problem isn’t exactly new, but the pandemic has focused awareness and foreshadowed the obstacles. I discuss this in my latest blog post for Avast here.

Give your boss this cybersec quiz

We all know that management needs to get smarter about cybersecurity. Just take any headline of the past couple of weeks to see mistakes made by some very large organizations who have been hit with ransomware, had to deal with public data exposure, or found evidence that hackers had been living inside their networks for months. So in the interests of public service, feel free to distribute this short quiz. You can grade it on a curve, or use it as a teachable moment, for better cybersecurity practice.

  1. Which is the best password security policy?
    1. Everyone’s passwords must be replaced after 60 days
    2. You can’t reuse one of the same passwords you used in the last year
    3. All passwords must be at least 16 characters long and contain symbols too
    4. Users don’t need to know their passwords because we have SSO logins
    5. I have no idea how to answer this question
  2. Have you ever searched for potential data breaches about you or your company on the dark web?
    1. No, what is the dark web?
    2. Yes, using Tor and Onion sites
    3. Yes, and I track this using a third-party security service in near real-time
    4. Yes, we have developed our own tracking tools for this purpose
    5. I have no idea how to answer this question
  3. How often do you run phishing simulations and awareness drills?
    1. We built our own and run them every week
    2. We built our own a year ago, but no one knows how to run them
    3. We use a third-party vendor and run them every quarter
    4. We were told by our auditors to run them but haven’t implemented them yet
    5. I have no idea how to answer this question
  4. Who provides your DNS services for your company?
    1. Your ISP
    2. Your cloud provider (Google Cloud DNS, AWS Route 53, Microsoft Azure DNS or similar)
    3. Google Public DNS, Cisco/OpenDNS, Quad9 or similar
    4. Cloudflare, Akamai’s Enterprise Threat Protector, NS1 Domain Security Suite or similar
    5. Don’t know the answer
  5. Which is the most secure password?
    1. “Every good boy deserves favor” (passphrase)
    2. “E!bTzQZK4TCjadS4” (random collection of 16 or more characters)
    3. “Fido1234” (my dog’s name with some numbers appended, something easy to recall)
    4. Any password secured with a one-time code generator like Google Authenticator
    5. Any password secured with an SMS code
    6. I have no idea how to answer this question
  6. When an employee leaves my company, you do the following:
    1. I have an automated way to audit my Active Directory listings and other network access controls
    2. Someone on my staff sends an email HR to terminate their login sometime after their last workday
    3. I have automated mechanisms that outboard their access
    4. I use manual methods to terminate their access on my SSO
    5. None of the above
  7. Check how many of these authentication options you personally use for your account logins
    1. SMS texts of one-time codes
    2. Authenticator smartphone apps (like Google Authenticator, Duo or Authy)
    3. Hardware keys such as SecurID or Yubikey
    4. FaceID, TouchID or equivalent on your smartphone
    5. Risk-based methods that use geolocation or other factors
    6. None other than your user name and password
  8. A cyberconsultant calls saying your software contains malware. What do you do next?
    1. Call your lawyer
    2. Call your PR department
    3. Call your IT department
    4. Call the FBI
    5. Ignore the call
  9. What part of your computer infrastructure are protected by CASB and CSPM products?
    1. Servers in your data center
    2. Servers in your cloud
    3. Laptops that you brought home at the beginning of the pandemic
    4. I don’t know what you are talking about
  10. One of your end-users is hit with ransomware. What is your next step?
    1. Call your lawyer
    2. Open a Bitcoin account pronto and get ready to transfer funds
    3. Call your PR department
    4. Call your IT department
    5. Call the FBI
    6. I have no idea how to answer this question
  11. What is DLP?
    1. Data Loss Prevention
    2. Data level parallelism
    3. Dark Lord Potter
    4. Data leak protection
    5. Data link protocols
    6. I have no idea how to answer this question
  12. You get an email from your IT department with a note saying you have to update critical network software, and please install the attached file. What do you?
    1. Click on the attachment and install it.
    2. Call your friend in another department and check and see if they got a similar email.
    3. Call your IT person to make sure the email is legit.
    4. Delete the email immediately.
    5. I have no idea how to answer this question
  13. Do you have the following people on retainer?
    1. Cybersecurity law firm
    2. MSSP to handle ransomware response
    3. Accountant with a bitcoin access
    4. None of the above
  14. When was the last time you looked at your cybersecurity insurance policy terms?
    1. Last year when we got hacked
    2. Every year when it is time to renew it to ensure the terms are acceptable
    3. We don’t have such a policy
    4. Our corporate parent has a policy but I don’t know the specific terms
  15. Do you know what aspect of your cybersecurity refer to DKIM, SPF and DMARC?
    1. Your web servers
    2. Your email servers
    3. Your programmers writing more secure code
    4. Your personnel database servers
    5. I have no idea what you are talking about
  16. How did you test your disaster recovery plan?
    1. We simulated a partial cloud failure and saw what needed fixing
    2. We simulated a partial app failure and saw what needed fixing
    3. We have a full-fledged disaster recovery site and conducted an all-hands drill offsite
    4. We did none of these things
    5. We did all of these things
  17. What is a watering hole attack?
    1. When your laptop computer is infected with malware while you are at the water cooler.
    2. When your laptop computer crashes because you left some questionable content on it
    3. When your laptop computer visits a questionable website and you get infected with malware.
    4. I have no idea how to answer this question
  18. What does a red team do?
    1. Put out management fires between conflicting policies or employees
    2. Find malware that is a potential threat
    3. Find employees that are downloading porn
    4. I have no idea how to answer this question
  19. What additional security measures have you put in place since the beginning of the pandemic?
    1. VPNs
    2. Zero-trust networks
    3. Passwordless access using biometrics
    4. Encrypted emails
    5. None of the above

Avast blog: Can AI tell your age?

While social justice issues involving algorithms receive attention, there’s little discussion around ageist algorithmic bias. Algorithms are under attack, but so far, the score seems to be Machines: 1, Humans: 0. While we haven’t quite reached the point of Skynet Armageddon, the machines are making significant strides in keeping track and taking advantage of the various carbon-based life forms on the planet. While the social justice issues involving algorithms continue to receive some attention, there is little discussion around ageist algorithmic bias. I explore this issue and provide several links to illustrate the problem.

You can read more with my post for Avast’s blog here.

Avast blog: The Verizon data breach report for 2021

This year’s report records a rise in ransomware as well as a jump in social engineering-based breaches

What a year it has been. Nothing delineates things more than reviewing the annual Verizon Data Breach Investigations Report (DBIR), which was published earlier this month. To no surprise, phishing increased from 25% of breaches in 2019 to 36% in 2020, aided by the various Covid-themed lures. Also, ransomware loomed large and doubled its frequency from 2019 to 2020 to 10% of the breaches, as you can see in the below chart.

You can read my summary of the report here on Avast’s blog.

Book review: You will remember me


This thriller is an excellent study of what happens when trust goes out the window between a couple. The phrase what you don’t know could possibly kill you comes to mind, but I don’t want to give away any plot points. Let’s just say that when a boyfriend goes missing meme is well thought out and isn’t as much of a trope as you might think. You see the novel from the perspective of the boyfriend, his girlfriend, and his stepsister, all of which have something to hide about their dark pasts. Granted, they all have their justifications about keeping the truth from the others in this novel, and as the book evolves you get to see these reasons and make some judgements about them. I found the novel a fascinating character study and well worth your reading time, and made me think about whether we really ever know anyone that we love or spend time with. And you will remember the plot of this book for some time too.

Disinformation as an instrument of the fog of war

As many of you know, my daughter has been living in Israel for the past several years. The latest round of fighting and rocket attacks has been difficult for me to watch, mainly because I have experienced exactly one of them on one of my visits. The rocket landed a few miles away and happened in the middle of the night. I woke up briefly, because the sirens sounded and then the ground shook. A house was destroyed, but the family living there survived.

Every Israeli has access to a bomb shelter or safe room, depending on when their house was built and under what circumstances they have. For the more modern residences, the shelters usually have fortified walls, a roll-down metal shutter on the windows, and a metal door to the room itself. For my daughter’s condo, I actually slept in the bomb shelter room. Some of the older buildings have basement shelters or separate buildings that you have to move into.

So that was the context for me and trying to get accurate information during the current hostilities. It isn’t easy and it is getting harder. Let’s take a few examples.

Last week this Tweet was sent out by the Israeli military public affairs office. It says that Israeli “air and ground troops are currently attacking in the Gaza Strip.” The key word in that Tweet was “in” and how the English-language press reported what was happening. This article from the NY Times covers the issues.

Do you recall the Clinton/Monica impeachment testimony when we debated the meaning of the word “is”? This single word last week was responsible for press reports citing an invasion of Gaza by Israeli grounds forces, saying that troops were inside the territory. They weren’t.

Yes, there was plenty of fighting between the two sides, but Israeli ground troops remained on their side of the border, firing missiles from tanks, drones and other aircraft at Gazan targets. But one result of these reports was that Israeli forces were able to get Hamas fighters to take to their underground tunnels and target them from the air. There were many casualties as a result.

The Lt. Col. who spoke (and Tweeted) claimed it was an honest mistake due to the fog of war. But others, including the Hebrew-language press and the Gazans themselves, called this a deliberate attempt to use the press into helping the Israeli military. Hard to say which is true.

This wasn’t the only disinformation campaign going on in last week’s fighting. The NYTimes cites a series of misinformation campaigns by mostly Israeli-based efforts in this article, all designed to inflame pro-war passions. And over the weekend, the Gaza City high-rise building that has been the home of the AP and Al Jazeera offices for many years was demolished by Israeli air strikes. Israel gave occupants an hour to leave the building before it was bombed, claiming that it was being used as offices for high-ranking Hamas leaders. It is hard to determine if that was true, or if the leaders were using the press occupants as human shields. Reporters have asked for documentation about who was actually in the buildings.

This wouldn’t be the first time that Hamas has used this tactic. If you examine the casualty reports from the fighting over the past week, you can see there are dozens of Gazan children who have been killed in the attacks. This is due to the placement of the rocket launchers atop schools and hospitals, so that when these sites are targeted they can claim Israelis are aiming at innocents. Some of the tunnels are also purposely routed near schools as well.

Getting the facts has never been harder in this part of the world.

Red Cross blog: How Debi Meeds Brought Agencies Together

Sometimes the simplest ideas are also the most powerful. One of the great innovations that came out of the response to the Joplin, MO, tornado of 2011 was the first Multiple Agency Response Center (MARC). Since then, MARCs have become the gold standard for partner cooperative efforts.

Debi Meeds, (longtime American Red Cross volunteer that I profiled here), deserves much of the credit.  While working a disaster back in 2008, she had noticed confusion. “People didn’t know where local resources were located, and our clients were spending a lot of time running around town to obtain assistance. The average client had to go to ten different places to obtain lost documents such as their driver’s license, family services, and things like food and clothing from various charities—and remember, folks didn’t have GPS phones back then.”

So instead of bringing people to the services, Meeds switched things and brought services to the people. Ultimately, the Joplin MARC had 48 different agencies and organizations at one location.

You can read another story I wrote about Meeds for the 10th anniversary of the Joplin tornado here.