Unfortunately, Facebook (and Google) don’t make authentication particularly easy. And to make matters worse, both companies have the habit of changing their menu options to confound even those who have done it previously. My recommendation is to use a web browser, rather than mobile apps, for these activities. This is because you’ll want the additional screen real estate and some of the options are more difficult to find in mobile apps.
Identity and access management (IAM) in enterprise IT is about defining and managing the roles and access privileges of individual network entities (users and devices) to a variety of cloud and on-premises applications. The overarching goal of identity management is to grant access to the enterprise assets that users and devices have rights to in a given context. That includes onboarding users and systems, permission authorizations, and the offboarding of users and devices in a timely manner.
However, part of the problem are the users and their love/hate affair with their passwords. We all have too many passwords, making the temptation to share them across logins – and the resulting security implications – an issue.
You can read my post for CSOonline here.
I wrote about vaccine passwords for Avast’s blog back at the beginning of the year. Since then, we have some more clarity over where and how they will be used, and a lot more questions too. Here is a brief summary on their progress.
First, the passports have now entered the political arena. Several states (including Missouri and Florida) have actually issued rulings preventing them from being used by state agencies or by local businesses. Pennsylvania, Montana and Arkansas are close to passing similar prohibitions. The White House has stated that there will be no federal mandate for any vax credentials. This pretty much guarantees that Americans will be stuck with those postcards that are handed out when we got the Covid shots. Coming from the opposite direction is NY which has their own passport app. As Shelly Palmer documents, this has been a fiasco — even calling the app the NYS Wallet to confound usability and destroy what little trust users might have about this passport.
The politics of the passport go something like this: we don’t want to create a centralized health database, because chances are the gummint will screw that up and we would have a massive data privacy issue on our hands. (Perhaps almost as bad as what just happened recently with Facebook.) Yet the local health departments have been issuing paper vaccination records for decades without any controversy (for the most part), and schools and military use these paper documents to prove that you have gotten vaccinated.
Covid it seems requires something new and a more digital approach. And with a new system comes the challenges of being able to preserve privacy and yet allow people to have their individual freedom. The ACLU has weighed in with their opinion here. They warn, “we could see a rush to impose a COVID credential system built on an architecture that is not good for transparency, privacy, or user control. The devil is in the details.”
But there are some pretty significant efforts being done by open source folks, such as this one that is trying to work out these details to keep the vax record on an individual’s smartphone. We shall see whether these will pass muster and have the right controls when they are finally implemented. There are some pretty smart people working on this, but then because of politics anything could go awry. (I wrote about the anti-vax movement earlier this year here.) In the meantime, when we get our Covid vaccinations, we get a small postcard. But will that be sufficient proof?
Second, the pilot programs have begun but have very limited use. One series of trials has been happening at more than 20 different airlines that are using the IATA travel pass. These trials are typically on a couple of city pairs and a small number of flights, where passengers are notified they will either have to download an app or print out the certificate to prove they have been vaccinated. None of these are US-flag carriers, and probably the furthest along is Singapore Airlines, which is planning on rolling out this pass by summer.
Probably, the furthest along is the Israel Green Passport smartphone app. Israel has done the best job of almost any nation at getting vaccines distributed to people over 16. The app is required for numerous large social gatherings, although as this NYTimes article documents, it isn’t uniformly enforced. One interesting side note: another digital passport is being contemplated to be used by airlines and nearby-countries to allow Israelis passage and entry if they want to travel. It isn’t clear how this will work. One problem: given that children haven’t yet been vaccinated, families who want to eat or attend these activities together can’t, unless the kids get a Covid test ahead of time.
The enforcement issue brings up another point: who is going to authenticate the passport holder? Right now when we can actual cross an international border, there are trained professionals who look at your regular passport and any paper and digital visa stamps and approve your passage. Do we really want to have bar bouncers, part-time ticket takers and other assorted folks determining whether we can enter a concert venue, shopping mall, restaurant or whatever?
Israel has addressed this problem of controlled access a long time ago. If you want to attend university, go to a shopping mall, ride a train or go to a concert, you have to pass through the barrier that most Americans just associate with airport TSA checks. Granted, these checks were mainly for weapons, and to that effect similar controls were recently placed around the Capitol. Yet many members of Congress pay them no heed. That doesn’t bode well for US-based enforcement.
There are a lot of other issues about how to implement the vax passport apps, and solving these isn’t going to be easy. But at least getting your shots is getting better: we are approaching delivering 4M shots a day now.
Last week Volkswagen tried and failed at an April Fool’s prank that involved changing its name to “Voltswagen” in recognition of its belated line of electric vehicles. The name change was confirmed through its press channels before Volkswagen eventually revealed that it was “only” a joke. Only a lot of people in the media weren’t laughing, believing that they had been manipulated as part of a marketing stunt.
The issue once again emphasized how tone-deaf companies can be in light of their reputations (Remember the whole diesel stats fiasco?) This brings up the topic of how to be cautious about your choice of language. The issue is particularly relevant in this time of hyper-sensitivity to issues of race, gender and disability.
An older article on The Hill has several examples of neutral language, such as using “pro-life” rather than “anti-abortion” to describe sides of that sensitive issue. My podcasting partner Paul weighs in on a recent experience he had writing an article about autism in the workplace: many of those folks prefer to be called “autistics people” rather than “people with autism.” The latter approach, called “individual first,” is favored by people with disabilities but autistic people don’t consider themselves to be disabled. Language has been widely used to shape the gun debate as well.
We’re seeing corporations increasingly weigh in on social and political issues and the need to be sensitive to special interests has never been greater. The most recent example is voting rights bills that are being considered by various statehouses. Several large companies have weighed in on the issue, with language ranging from blunt in the case of Delta Airlines to Microsoft’s more nuanced approach. And media, who likes a good fight, has largely overlooked the numerous bills that expanded rather than restricted these rights, something that the Brennan Center has tracked extensively.
You might want to take some time to review these links to understand how much language matters these days and to think twice about how you express your corporate position. You can listen to our 15 minute discussion here:
I have a confession to make: I have never fired a gun. I don’t own any firearms, and the closest I came to having a gun was when I was growing up my brother was a member of the high school rifle team and we had some old thing. But a friend of mine, whom I will call Harry, is a gun owner. Indeed, he now owns nine different ones: a mixture of rifles and handguns, revolvers and semi-automatics. Given that he lives in New Jersey, he can’t easily carry them — either concealed or openly — and has to carefully transport them from his home to the various ranges that he shoots competitively. Yes, he is a real gun advocate now.
And did I mention that he is your stereotypical Jewish liberal from the northeast? “For 50 years, I didn’t think anyone needed guns. But now I feel differently.” Harry is your typical suburbanite: has two adult children. Neither of whom — nor his wife– are very interested in using his guns, although his daughter has shot one of his weapons to impress her boyfriend, who is looking for a career in law enforcement.
Harry bought his first gun, a HK 9 mm, back in 2016, just after Trump started winning various primaries. “I figured if he got elected, he could set the country back 50 years. And with all his turmoil and racist language, I wanted to be able to defend my own home. I was afraid that my family would be one of the first targeted, since we are Jewish.” His first gun had a magazine for 15 rounds, but he had to give that up because New Jersey changed their law to restrict magazines to just 10 rounds. “There is a lot to know legally,” he told me. “And our state has a lot of restrictions, so the liberals who say we need more regulations don’t understand the wide variation in different states.” Exactly: here in Missouri, we have more liberal gun laws. He does have concealed carry permits for Virginia and Florida, and has a variety of reasons for obtaining those permits in these places.
The other issue for Harry is the amount of time it takes him to actually get a gun. “It took me a long time to register and obtain a permit — it was supposedly to be less than 30 days but now it takes longer because so many people want guns,” he told me. “And when I actually walk into a store and buy my gun, it used to take just a few minutes to do the background check, but now it takes as long as a week.” There are millions of new gun owners as a result of Biden’s election, interestingly. And if he were to go to an out-of-state gun show, many of the sellers don’t want to bother selling him anything, since it has to be shipped to a licensed gun dealer in New Jersey.
Harry has spent nearly $9000 over the years, on all of his weapons and on a stockpile of more than 15,000 rounds of various ammunition. You might think he is part Doomsday prepper, but he tells me that when he shoots at the range, he could easily go through 300 or so rounds, and because he is Jewish, he buys in bulk. (Sorry, just had to put that in there.) He has met plenty of other Jews on the range.
He is also an NRA member, but he doesn’t fully support their political positions. He became a licensed instructor. “I wish they would stick to their training — which is excellent — and did less of their political BS,” he told me.”But not all of us gun owners are planning to revolt against the government either.”
Harry is also a lifelong Democrat, and has never voted for a Republican presidential candidate. But he also decries the left-wingers that populate his party, and thinks they are off base. “I absolutely hate Trump, and can’t stand him as a person or as a candidate. I actually find him nauseating. But many of the press stories are just not true,” he told me.
Yes, we have more guns than people here in the US. And Harry is certainly an example of how that is possible. But you can’t paint every gun owner on the same canvas.
Ransomware continues to be a blight across the landscape and has gotten new life thanks to the pandemic and a growing collection of capabilities to make malware operators more potent. While using both cloud computing (what is somewhat mistakenly called ransomware-as-a-service or RaaS) and extortion techniques aren’t new, they are being deployed more often and in more clever and targeted ways than ever before. This has brought a rise in overall ransom attacks and in demanded payouts. One report has average ransom demands increasing by a third since Q32019.
In this blog post for Avast, I describe what RaaS is and how it is being exploited by the Darkside crime group.
If you are compromised by Darkside, there is this decryptor tool available. Suggestions (as with other ransomware preparation): ensure your backups are intact and accurate, intensify phishing awareness and education, and lockdown your accounts with MFA.
I was just finishing off an article that will be posted on the Avast blog in a few days about ransomware-as-a-service. I was typing that one way to minimize the damage from ransomware is to “ensure that your backups are intact and accurate.” This was somewhat ironic, given that soon after disaster struck. And it had to do with the poor quality of my iPhone backup. As if this wasn’t bad enough, next week is the annual World Backup Day. Let’s rewind a bit to set the context.
For the past four or so years, I have been using an iPhone 7. Because I was a cheapskate, I bought the phone with only 32 GB of storage. Over the past several months, as I diligently kept the iOS version updated, I saw that it was having issues finding enough empty space to do the updates. Then last week I got tired of deleting apps or trying to fit my music and photos (the things that take up the most storage) and just said the heck with it and bought a new iPhone 12 and got the 128 GB model, which hopefully will last me a few years. This is my fourth or fifth iPhone (I think I had the 4 before the 7). Activating and moving my data over to the new phone was time consuming but mostly an automated transfer of data, and today I was ready to get down to working with the phone.
Just one problem. I am a big user of the Google Authenticator app to provide additional login security, and when I went to open the app on my new phone, there were no password codes installed. Now, I have about 25 different logins that use this app, and if I didn’t have access to these codes it meant that I couldn’t login to any of my apps. After I had been resuscitated seeing that empty Authenticator screen, I was ready to figure out how to get these login authentications back on my phone. One thing that I didn’t want to do was to have to authenticate each login separately by entering manually these logins to the app. Fortunately, I still have my old phone, and (after looking around) I found the way to transfer them manually. I had to do it 10 logins at a time (the Authenticator app produces a nifty QR code that you then use to restore the logins to the new phone), but problem solved. If my phone had been lost or stolen, I think I would still be in the local cardiac care unit.
Even the best backup plans can ignore certain scenarios. Look at the OVH data center that was on fire not too long ago. That brought down quite a few internet sites. that never thought they would see something like that happen. And I have had my own brushes with bad backups (or no backups, as the case may be), including a fire in my office building many years ago, or a flood in my provider’s basement. Both times things could have been catastrophic, and I did learn my lessons and improve my internal procedures. (Here is a post that I wrote many years ago about my own backup commandments. And for your own amusement, there is always the Tao of Backup.
But apparently there are still some lessons to be learned. So this whole experience with Google Authenticator made me think what else isn’t being backed up on my new phone? How about all the credit cards that I entered for my Apple wallet? Yup, MIA. A relatively easy one to fix. But still, ensuring your backups are complete isn’t a simple concept, even for a company of one. And there are still lessons to be learned, particularly as we do more computing on our mobiles.
It has been a bonus year for cyber criminals. The FBI’s Internet Crime Complaint Center (IC3) received nearly 800,000 complaints about cybercrime last year, more than two-thirds of a jump from what was seen in 2019. About a third of these complaints are from phishing attacks. The report summarizes data submitted by the general public and businesses on its website portal and is produced each year. Over $4 billion in losses attributable to these complaints was calculated, the most ever for what has been seen in one of these reports.
In my blog post for Avast, I summarize what was reported to the IC3 in the past year and suggest some simple strategies that individuals and businesses can take to prevent them.
An innocent hike starts out this mystery by Allison Brennan where a women is unexpectedly killed, somewhere in the southern desert near Patagonia AZ. Soon an entire FBI field team is investigating her apparent murder, and before long we learn to respect this undercover motley group that includes agents posing as bartenders, factory workers, and others that are brought in to solve the case. What I liked about this novel was the very realistic treatment — or so I imagined — about how the team works together, including a love affair between team members that isn’t entirely kosher. There are lots of bodies as the book progresses, and lots of bruised egos to, some deservedly so. While Patagonia is a real town, the rest of the book is the author’s responsibility and she pulls it off quite nicely. Highly recommended.
Too often in tech I see this where stellar coders (and other technical types) reach the point where they are offered a job as a manager. Do they take the promotion and get the corresponding raise in pay and responsibility? Or stay put and continue to write code? The choice isn’t an easy one.
My first big promotion came in my mid-30s, when I was working at PC Week. I had made the move to tech journalism from working in various IT departments, and I was given the chance to run about a third of the magazine’s editorial operations. The promotion required a move from LA to Boston. I can tell you the exact date by a photo of a cake that was baked in my honor by the IT department at Coke Foods, which I happened to be visiting that week. The cake was a copy of a typical front page of the publication. (Sorry about the photos, I had no idea that I was taking them for posterity.)
This promotion was exactly right for me — I went on to run other tech pubs (Network Computing, Tom’s Hardware, various EETimes sister websites, and Inside Security) and work with dozens of editors, artists, and other creative types.
But I came across a more typical situation where the promotion brings about more trouble than success. I was listening to this podcast between Avast CISO Jaya Baloo and Troy Hunt. Hunt has run the site Have I Been Pwned for several years, largely through his own interest in exposing the weaknesses with data breaches. (Note: I have worked with Baloo and write numerous blog posts for Avast.) He mentions how the site got its start when he was promoted to engineering manager at Pfizer and was miserable, because it took him out of the day-to-day coding challenge. While he was getting more influence within the organization, he was also missing out on the joys of coding and building something significant. His dissatisfaction was a good thing for all of us because he has done a bang-up job running HIBP, as it is known. (For those of you unfamiliar with hacker lingo, “pwned” is what hackers do when they succeed at compromising your credentials and break into your system.)
The podcast covers other topics besides Hunt’s promotion. It is worth listening to because it shows the nuanced approach that Hunt has towards running such an influential site, and how he has to play dodge-the-lawyer when he tries to get confirmation that a breach has actually occurred. Still, this is a reminder that not all promotions are always the best directions for our careers. I wish I could send him a cake in appreciation!