Avast blog: New deepfake video effort discovered

Since I wrote about the creation and weaponization of deepfake videos back in October 2020, the situation has worsened. Earlier this month, several European mayors received video calls from Vitali Klitschko, the mayor of Kyiv. These calls turned out to be impersonations (can you tell which image above is real and which isn’t?), generated by tricksters. The mayor of Berlin, Franziska Giffey, was one such recipient and told reporters that the person on these calls looked and sounded like Klitschko, but he wasn’t an actual participant. When Berlin authorities checked with their ambassador, they were told Klitschko wasn’t calling her. Fake calls to other mayors around Europe have since been found by reporters.

Were these calls deepfakes? Hard to say for sure. I cover the issues and update you on the advances, if you can call them that, about deepfake tech for my Avast blog today.


FIR B2B podcast #157: Why the end of third-party cookies is a bigger deal than you think

Profile photo of Chris MattyPaul and I spoke to Chris Matty, the co-founder and Chief Revenue Officer at Versium, Inc. His company is developing better B2B ad tracking technologies that will ultimately be used when the third-party web cookie finally bites the dust next year.

As with so many online technologies, replacing cookies might require a lot of work from advertisers and web publishers. This is because Google, Facebook, Apple and Amazon all have a vested interest in keeping customers within their “walled gardens” and not necessarily sharing their tracking data with others. The great cookie demise will bring about a series of consequences, some intended and some unintended.

For example, there will be an initial rush for advertisers to make use of first-party data (meaning data that they have collected over the years themselves) until they realize that this data is outdated or inaccurate and can’t really provide the sufficient quality or insights or a path towards eventual purchases that the old cookies had. There will also be an adjustment as advertisers realize that reaching B2B customers is a lot more difficult than reaching consumers because many business customers don’t necessarily identify themselves as such — think of all the LinkedIn accounts that carry Gmail addresses as an example.

The work-from-home movement has increased the complexity of the tracking business customers now have different IP addresses or are hidden behind VPNs, so all that geofencing and IP tracking data is out the window! Versium is attempting to resolve these issues by aggregating anonymous data from a variety of sources to profile website visitors without compromising their privacy. Resolving identity means collecting and matching deterministic data that allows a marketer to reach or contact a specific person, such as email, phone numbers, addresses and device IDs. For example, think of trying to ensure you have identified the same person when sometimes they call themselves Bob Smith, sometimes Robert Smith, and in other cases they show up as @rsmith. Versium believes that’s possible in many cases using independent, opt-in sources.

The company is working with a variety of independent publishers and advertisers to consolidate data assets to allow independent publishers and site owners to better compete with the internet giants. The goal is to achieve personalization with privacy protection.

Chris has written extensively on this topic here. “Companies that deploy identity resolution solutions to optimize and leverage data can take back the control they had once ceded to third-party cookies,” he asserts.

You can listen to our 16 min. interview with Chris here.

Avast blog: RSocks criminal botnet taken down

Last week, the US Department of Justice announced the takedown of Russian IoT botnet and proxy service for hire RSocks. Working with various European law enforcement agencies, the FBI used undercover purchases of the site’s services to map out its infrastructure and operations. RSocks compromised its victims by brute forcing attacks on various IoT devices as well as smartphones and computers.

You can read my latest Avast blog post about RSocks here.

Network World: How to reduce cloud costs

The more workloads that you migrate to the cloud, the more difficult it becomes to predict monthly cloud costs. While it is great that you’re only paying for the services you need, trying to parse your monthly bill requires the skills of a CPA, a software engineer, a commodities trader and a sharp eye for the details. There are numerous helpful tools and services to help, and also several reasons to consider using them. You might be in the market to switch to a new provider in order to add features or because you aren’t happy with your provider’s downtime or level of customer support.

You can read my post for Network World here, where I provide details on more than a dozen different offerings. (Cloudorado is shown above.)

Avast blog: the evolution of self-sovereign data and Web 3.0 identity solutions

Earlier this month, Drummond Reed was one of the panelists at CoinDesk’s 2022 Consensus conference discussing “The Promise of Self-Sovereign Data and Web 3.0 Identity Solutions: Real or Mirage?” Reed, who heads Digital Trust Services for Avast, spoke about the evolution of these solutions and — like his fellow panelists — tried to frame Web 3.0 in terms of this perspective.

The session was moderated by Joe Cutler from Perkins Coie; other panelists included Richard Widmann, a strategy lead for Google Cloud; Tobias Batton, CEO of ExPopulus; and Lisa Seacat DeLuca, who is Director of Product and Engineering for Unstoppable Domains. They spoke about the evolution of Web 3.0 tech, what will tip it towards more general acceptance, and the role played by identities in the world of the blockchain.

You can read my reporting about this conference session in my latest blog for Avast here.

Avast blog: How the US government deals with zero-days

While withholding a zero-day’s existence can provide some government advantage, it can potentially harm the rest of us and break many elements of the global internet if vulnerabilities aren’t disclosed and patched.

By now, you probably know what a zero-day vulnerability is: In simple terms, it’s the discovery Lindsey Polley, PhDof software and hardware coding errors that can be exploited by attackers. Some of these errors are found by government researchers, intentionally looking for ways into foreign agency networks to spy on their enemies. Sometimes, our governments and even some private companies keep deliberately mum about these vulnerabilities for many years.

I had an opportunity to interview Lindsey Polley and how she is trying to improve our government’s response to managing its zero-days for my Avast blog.

Online collaboration still ain’t easy

I have been writing about the challenges of online collaboration for years (here is a piece I wrote about synchronizing online calendars for the NY Times back in 2009)., and here is a link to my review of personal cloud storage that I recently did for CNN) When it comes to working on the same document (or spreadsheet or slide deck), it sadly still isn’t easy. Sure, there are tons of tools, including cloud storage vendors (like Dropbox, Google Workspace and Microsoft’s basketful of deplorable apps), team messaging apps (like Slack and Teams), and various other SaaS apps that claim to be collaboration forward but are still back in the dark ages.

Document Collaboration Tools - Document Management System FolderitWhat is wrong? All of this technology comes down to a bad marriage between the personal and sharing mindsets. And while the tools supposedly get more sophisticated, they still have fundamental and foundational issues, like these:

Our first problem is the personal computer is inherently personal. Back in the 1980s when we each had a huge 4 MHz CPU sitting on our desktops, we could run whatever apps we wished out of a tiny floppy disk. We didn’t share nothing with nobody. There was no internet, no SaaS stuff, no web browser. There weren’t even any graphic interfaces. Life was simple, and it was good, or so we thought. But now we have all this power: multiple CPU/GPU cores to run all sorts of complex stuff, gigabit speeds coursing through our home offices. But we still tend to think about the document that is sitting on our screen as our own proprietary property.

This background hasn’t made sharing easy. For a project that I am working on for a client, they set me up on their internal email system because they were using GDocs/Workspace. If you aren’t part of the domain, GDocs goes through some trouble and getting you in synch is painful. Much easier to just create a new email on their domain and share that way. Something is wrong with this picture.

Microsoft isn’t much better. They have almost as many varieties of sharing tech as Heinz has ingredients in their condiments. You have a Sharepoint drive, which isn’t the same thing as the Teams shared drive which differs from One Drive which isn’t the same One Drive on the E6 Enterprise license of Office 365, and oh by the way login.microsoft.com presents a different dialog from all of the above and is needed to manage all your various identities and sharing permissions.

Underlying all this tech are two basic ways to share stuff: either by URL (or by email, which embeds a URL in the message body), or by working with user identities, which also makes use of email addresses. Sometimes one method works better than the other. The ideal collaboration tool allows for setting basic access rights (view or edit your content), and sometimes these work, sometimes these are assigned to someone’s personal Gmail address when it should have been assigned to the common work domain address. Maybe this was an issue back in 2009, but it is still an issue today.

The sharing routines are broken because you have multiple paths and devices and apps to get you to your content. You can use a desktop or mobile app, a cloud app, a plain-Jane browser session. If you don’t have a desktop license to the word processor or presentation app, you have to bring up the browser and hope that you can run the app inside your browser — for those corporate-managed Windows machines that are under app lockdown, you might have to go through some hoops to get the right collection of permissions.

Plus doing this in near-real-time can be an issue if you are spread across a bunch of time zones around the planet and keeping track of what was done on a previous edit. This happened to me recently as one of my editors is in Europe while another is in California.

Sometimes I just give up and email someone the Word doc we are working on and just call it a day. That is absolutely the worst way to collaborate, bouncing bits back and forth across the internet. I hope it doesn’t take another decade to fix the collaboration problem.

Apple’s new privacy push

Have you seen this new TV spot from Apple called “Data Auction”? It is really bugging me. I must have seen it about 50 times on various streaming services. While it does a great job of showing how your personal information is being traded by data brokers, it takes tremendous license with its visual elements and how its iOS operating system actually works.

Apple has been improving its privacy protection over the past several years, so I give them some props for trying. But unless you are determined and really patient, fixing your phone (or other fruit-filled device) up the way you’d like it to preserve your privacy isn’t simple, and chances are you’ll probably get it wrong on the first try.

Apple’s commercial touts new features that they have added to iOS over the past couple of years: the ability to prevent third-party apps and advertisers from tracking your movements, including across your app portfolio, browsing and through using its Mail app. They both can eventually be found in the Settings/Privacy/Tracking screens. As we watch our hapless actor “Ellie” wander into her data auction, she fortunately has her iPhone at hand and is able to zap the auction audience into smoke with the press of A Single Button. Too bad that isn’t the actual iOS interface, which has a very confusingly labeled slider “Allow Apps to Request to Track” that should be off if you want to do the same thing (data oblivion). There is another button that Ellie used to rid her emails of trackers.

Okay, it is a very effective commercial. And I am glad that Apple has taken this approach to help users’ privacy. But why not use the actual UI? And better yet, why not hide it three menus deep where few can find it?

Apple has some interesting developments for iOS 16 that will be out later this fall, including one called “Safety Check” that Elllie will really love, especially if she has an abusive partner or a cyber stalker. Maybe if they use the same actor we can get a more faithful representation of what real users will have to do.

Have you hired a North Korean full stack developer?

Chances are unlikely. But what is really scary is that it could have already happened, and you just didn’t realize it. A report from various US federal agencies was published a few weeks ago, offering guidance on IT workers who are trying to get a job in your company while posing as non-North Koreans. You probably already know that the country has trained thousands of workers in various IT disciplines to generate revenue for the government. In the past, these efforts have mostly involved developing malware (such as this notice from CISA about targeting blockchain companies) and launching ransomware attacks. But lately they have turned to a new ploy: creating credible resumes for job seeking candidates that will get hired and help to launch attacks from within the company. Thanks to the pandemic and an increase in remote work, this has become a real risk.

While many of the candidates were immediately found lacking (one hiring manager said it was obvious they didn’t have the right knowledge or skills), still this notice gives me pause. It is the ultimate supply chain attack, because it is aimed at the growing shortage of full-stack and other agile developers. The feds report that thousands of them are taking on IT contracts all over the world, with many of them in North Korea, Russia and China. At salaries of US$300,000 or more, that can generate a lot of income for North Korea — the individual IT workers of course see little of those funds. The candidates possess remarkable skills in a wide variety of disciplines, such as mobile app development, AI-related apps, and database development.

Of course, if one of these phonies is actually hired, their firm can face all sorts of legal and financial penalties, given the numerous sanctions that have been created to prevent any kind of trade with North Korea. In many cases, firms downplay this threat, thinking that North Korean IT workers aren’t that sophisticated. The government report disagrees and sounds a clear warning.

The report has numerous ways you can tell you are dealing with a bad actor, and I use the term both literally and in the cyber sense. For example, the candidates have too-good-to-be-true reviews on the hiring websites, and the reviews collected in a very short time period. Their “extensive” knowledge doesn’t hold up under questioning (of course, this means you have to be prepared to vet them carefully with the right questions) and have long latencies in their video conferencing calls that don’t match their stated location — many candidates will claim a US college or technical degree and US residency. Just considering three of North Korea’s top schools, more than 30,000 students are currently studying various IT topics, and there are now more than 85 programs in 30 schools offering various STEM curricula.

North Korean “IT workers may share access to virtual infrastructure, facilitate sales of data stolen by North Korean cyber actors, or assist with their country’s money laundering and virtual currency transfers,” says the report. They hide their true identity behind third-party shell companies, or play the role of a subcontractor to a legitimate company. They are proficient in English and Chinese, although not as proficient if you know what to listen for to ferret out their accents. They make use of forged or stolen identity documents, using the names of actual employees and email addresses that appear to be from a Western business domain. They construct phony portfolio websites that don’t usually stand up to scrutiny. The trick is to provide the actual scrutiny during the interview process.

The report lists other “tells” and red flag warnings, such as using a non-standard remote desktop software tool or a low proportion of accepted bids on projects or referencing non-functioning websites. Of course, if someone were to vet my previously published work, you would find some similarities to the numerous dead B2B IT websites that I wrote for in the 1990s, but let’s not go there for now.

DPRK-Vertical-PosterTo mitigate and properly vet these phonies, the report authors suggest that all identity documents be carefully scrutinized and verified independently, and any low-res versions rejected. Video interviews showing the candidate should be conducted carefully, and the candidates also questioned carefully. Employers should conduct background checks, verify education directly with the college and avoid making any virtual currency payments and verify banking accounts. The DoJ has its “rewards for justice website” (shown above) where you can submit a tip and perhaps claim a substantial reward.

Avast blog: Key takeaways from Verizon’s 2022 DBIR

It’s time for the annual Verizon Data Breach Investigation Report (DBIR), a compendium of cybersecurity and malware trends that offers some of the best analyses in our field. It examines more than 5,000 data breaches collected from 80 partners from around the world. This year’s DBIR offers practical advice on improving your security posture and tips for making yourself much less of a target. From the SolarWinds attack to the growth in ransomware, there is a lot to discuss.

As shown above, we’re patching more and we’re patching faster. And we are generally getting better at detecting attacks in a timely manner. You can read more in my latest blog for Avast here.