Avast blog: what’s up with FragAttacks?

A new series of attacks against almost every Wi-Fi router has been posted called FragAttacks. Anyone who can receive radio signals from your router or Wi-Fi hotspot can use these vulnerabilities and steal data from your devices. The issue is the design of the Wi-Fi protocols themselves, along with programming errors to certain Wi-Fi devices. Some products have multiple issues and a dozen different CVEs have been posted that document them.

You can read my blog post for Avast here.

Can we really reduce ransomware attacks?

A new report from the Ransomware Task Force — what we once called blue-ribbon panel of cybersecurity experts and non-profit organizations — was released last week. It has a long list of recommended actions to try to reduce this scourge. And while it is great that the tech industry has made the effort, it is largely misplaced.

The co-chairs of the various committees say right up front that tackling this problem won’t be easy, there aren’t any silver bullets to fix it, and no single entity has the needed resources to make much of an impact. Many of the recommendations concern actions by the federal government to try to stop it, I think public/private partnerships are going to see more success here.

Here are a few of their suggestions that captured my attention.

Action #2.1.2 recommends that cryptocurrency exchanges and other operators to follow the same “know your customer” and anti-money laundering rules as regular financial institutions, and aggressively targeting those exchanges that do not. This would restrict criminals from cashing out their ransom payouts. I think this is a worthwhile goal, but not sure how it could be enforced or even identified. There is always some semi-shady operator that will skirt the rules. Still, perhaps some crypto blogger or analyst could offer a summary of those operators that make more effort and those that just pay lip service to these very basic rules.

Action #2.3.1: Increased government sharing of ransomware intelligence with the private sector.

Action #4.2.2: Create a standard format for ransomware incident reporting.

These are both good suggestions. There are already common threat reporting formats, such as STIX and Taxii, that are used to share threat intelligence that are machine-readable and easily fit into automation solutions. But there are two issues: First, will victims be required to report incidents? Many times we only hear about attacks months or years later and many never come forward at all. Or victims post some rather gauzy information-free notices. The second issue is who will act as the central repository of this information. That brings up the following:

Action #4.2.1: Establish a Ransomware Incident Response Network.

This is another good idea. The only issue is who is going to be in charge. Part of the problem in infosec is that we have far too many organizations that overlap or operate at cross-purposes. MITRE would probably be my first choice: it is the keeper of other cybersec threat data.

Action #4.1.2 Create a federal cyber response and recovery fund to help state and local governments or critical infrastructure companies respond to ransomware attacks. This approach would be similar to the Terrorism Risk Insurance Program, which was enacted after 9/11 and has been used, albeit, infrequently, since then. It provides for a shared public and private compensation for certain insured losses resulting from a certified act of terrorism that is split 90/10 between the federal government and insurers. It could be tricky to implement, because having a definition of a ransomware attack might prove to be even more difficult than having a definite terrorist incident.

One part of the report that I found helpful and instructive was an appendix that describes the cyber insurance market, including a summary of common policy components and why you might need them. There are a series of suggestions to help improve insurance underwriting standards too, I would urge anyone who is reviewing their own corporate cyber policies to take a closer look at this portion of the report.

The report concludes with these dire words: “Ransomware actors will only become more malicious, and worsening attacks will inevitably impact critical infrastructure. Future attacks could easily combine techniques in ways that cause the infections to spread beyond their intended targets, potentially leading to far-reaching consequences, including loss of life.”

Avast blog: How will advertisers respond to Apple’s latest privacy changes?

Last week, we described the privacy changes happening within Apple’s iOS 14.5. Now, in this post, we’ll be presenting the advertiser’s perspective of the situation at hand. While advertisers may think the sky is falling, the full-on Chicken Little scenario might not be happening. The changes will make it harder – but not impossible – for advertisers to track users’ habits and target ads to their devices. And as I mention in my latest blog for Avast here, digital ad vendors need to learn new ways to target their campaigns. They have done it before, and hopefully the changes in iOS will be good for everyone, eventually.

 

Avast blog: What Apple’s iOS update means for digital privacy and identity

This week, Apple announced the availability of iOS version 14.5 for its smartphones and tablets. The release contains an update that is a major change in direction and support for digital privacy. If you are concerned about your privacy, you should take the time to do the update on your various devices. Earlier iOS versions had the beginnings of this anti-tracking feature. If you go to Settings/Privacy/Tracking, you can turn off this tracking or selectively enable it for specific apps. When you install a new app, you will get a popup notification asking you about which tracking features you wish to grant the new app.

In my blog for Avast, I talk about what exactly is included in the new iOS, and why it is important for preserving your privacy.

FIR B2B podcast #147: Marketing Lessons From the Open Source World With Priyanka Sharma

This week we talk to Priyanka Sharma, who is the General Manager of the Cloud Native Computing Foundation. The group has assembled a massive collection of 600 vendor members, ranging from little-known startups to the biggest companies on the Internet. The foundation is the steward of more than 80 open source projects that support Kubernetes, Prometheus, Vitess, Envoy and other technologies that deal with distributed data structures, network policies and cloud orchestration. The foundation helps to put on an annual conference, which has a business value track this year, and has a library of webinars to help spread the word about the revolutionary technology called software containers. She told us during the podcast that “Life isn’t a zero sum game and we have to work together” to help market cloud tech.

Our interest in this portfolio is high — Paul has written most recently about the foundation here for SiliconAngle.  We spoke to her about her role at CNCF and the tactics the foundation has found to help mainstream IT adopt cloud and container technologies, getting her members to agree on a single standard, how to sell open source to the prototypical “pointy-haired boss” and what tech marketers can learn from the cloud evolution that they can apply to solve their own business problems. You can listen to the 20 min. interview here.

Red Cross blog: Mike DeSantis, long-time blood donor enjoys helping others

Volunteers approach the American Red Cross from many different directions. Mike DeSantis came through donating blood. And then doing it again, and again, and again. He wanted to start donating blood while he was in high school, but was born too late in the year, so he had to wait until he turned 18 when he was in college before his first visit. “I gave whole blood then, and found it wasn’t all that hard or that intimidating,” Mike said. “After a few times at the local blood center, a nurse asked me if I had considered apheresis and told me I had nice big veins.” That was the beginning of something that blossomed into a decades-long relationship. By one accounting, he has donated more than 530 units of platelets over 375 visits. He tries to come in every other Friday afternoon. “This is a lot easier to remember than the whole blood schedule,” he said. There is a lot more to his story, and you can read about him on the Red Cross blog here. 

 

Red Cross blog: Little Rock volunteer, Kathryn Buril, loves serving others

Like so many Red Cross volunteers, Kathryn Buril spreads her love around by serving multiple community organizations. The Little Rock Red Cross chapter volunteer is active at Saint Mark Baptist Church and on the board of directors of Volunteers in Public Schools (ViPS). She has held leadership roles at local branches of the National Association of University Women, the American Association of University Women and the local AARP chapter.

Kathryn began her Red Cross service with sheltering and mass care disaster assistance groups in the summer of 2009 when numerous hurricanes hit the Gulf Coast. “People were coming into Little Rock by the hundreds,” she recalled. Kathryn’s first deployment was in Mena, Arkansas, at a tornado disaster relief shelter.

You can read more about her exploits and volunteer efforts on the Red Cross blog here.

Avast blog: SIM swapping: What it is and how to stop it

Every mobile phone has a special card called a Subscriber Identity Module. This is the challenge for a type of attack called SIM swapping which is becoming increasingly easier, thanks to leaks that associate email addresses and mobile phone numbers. In my latest post for Avast’s blog, I take a deeper dive into how this type of attack is pulled off, why it’s so popular, and steps that you can take to prevent it in the future.

Learning from the Enactus collegiate entrepreneurs

Once again I have had the honor of being one of the judges in the Enactus collegiate entrepreneurship competition. Back in 2015, the national finals were held here in town, so I got to participate in person. Of course, this year it was completely a virtual affair.

I have been involved in another competition: the Microsoft Imagine Cup. Back in 2012, I flew to Sydney to be one of the judges for their final competition, which I wrote about here. It was a blast, and I got to meet some very smart students from around the world. Not to mention that I got to climb to the top of the Harbor Bridge too.

The Enactus competition now goes on to their own World Cup held later this year. The teams come from colleges both well-known and ones that you have never heard of, and the team sizes vary from just a few students to dozens. This year the US national champion was the team from the University of Wisconsin at Whitewater, which has had success in earlier years. They had an interesting project to help eye patients in India obtain inexpensive glasses, and I didn’t give them top marks because due to the pandemic the project only really got in gear last month.

There are two things the judges evaluate: first is a short video that the team puts together, which contains both their pitch and an introduction to the team members. These are professional quality and include the requisite drone fly-by of the campus with a background of dramatic music.

The second element is the written report that reviews the financials and explains how the project or projects meet the four major tenets of the competition:

  • Entrepreneurial leadership, where the team identifies a need and shows how they can take personal responsibility and manage risk and change
  • Innovation and improvement
  • Apply business principles such as a workable plan and model.
  • Have a measurable and sustainable positive impact, both socially and economically

The Whitewater students’ business plan didn’t match up with their video, which is why I didn’t give them the highest marks. Apparently, I was in the minority.

The two teams that I preferred were from North Central College located in the Chicago suburbs and Southern Adventist University (SAU) near Chattanooga. Also in the final four was the University of Illinois at Urbana/Champaign, which I have actually been to and have known about as one of the major computer science powerhouses.

North Central’s team (which you can see here) ran a web storefront for Guatemala coffee and chocolate sales as one of their projects.  What I liked about this project was how they built upon last year’s efforts and what they did to pivot to deal with the pandemic. They had to work hard to replace in-person sales with some innovative alternatives, such as building their own campus-based store and selling their products to farmers’ markets, using Facetime walk-throughs and Zoom demos of how their stuff was sourced and made, making donations to non-profits and creating private labeled products. They were able to significantly boost their sales and not only cover the additional costs of these efforts but also increase their profits. The storefront will ship product across the US or you can come pick things up at the campus store.

SAU’s team had a series of projects, but their centerpiece was another web storefront selling soap made in Zambia. This store only ships to nine locations there. They now employ 360 people and made some US$5,000 in revenues last year. They had other projects such as local STEM instruction for women and creating a marketing toolkit for non-profits as well.

It is great that Enactus was able to continue their competition during a very difficult year, to be sure, and under some very stressful circumstances as universities went to remote learning and other circumstances. And if you have a moment to watch some of the video presentations on the Enactus site link (warning: it is a miserable website, ironically), you too will be inspired and have some hope for the youth of today.

Book review: Just Get Home

This novel about one night in LA post-quake reminds me of the movie Magnolia where we follow several characters as they try to deal with their lives and another disaster over the course of a single day. One young mother is out on the town with her friends, her young child left at home with a sitter. Another teen girl has been raped by some thugs,. Both are trying to get home and suffer various adventures along the way, eventually joining up in their travels that involve spending the night in Griffith Park. Having lived in LA for several years, I found the situations interesting and captivating, and the characters are strongly drawn and compelling. How the two relate to each other from different backgrounds — the older woman lives in Van Nuys where the other says, “people with money don’t live in Van Nuys” is also a major sub-plot. I highly recommend this book.