Haters gonna hate: fighting Holocaust deniers across social media

A new report from the Anti-Defamation League has reviewed the stated hate speech policies of nine different social media platforms. Unlike other studies, it also tests their responsiveness to user reports of violations of those policies. The ADL is an organization that has been operating for more than 100 years trolling (literally) these waters. They were specifically interested in how social media propagated posts made by Holocaust deniers across their networks. They scored each platform in terms of intentions and how they performed in terms of preventing hate speech on such issues such as:

  • Did the platform investigate the report and promptly respond (defined as within 24 hours) to the complaint?
  • Do users of each platform understand why it has made a certain content decision based on its stated policies?
  • Did the platform take any actual action once something was reported?

You can see a part of their report card above. Before I get to the grades given for answering these and other questions, I want to talk about my own personal experience with Holocaust denial. About four years ago, my sister and I went to Poland to see the places where our mom’s family came from. One of our cousins did some genealogy research and found an ancestor who lived in a small town in northeast Poland who was a rabbinical judge back in the 1870s. One of the stops on our trip was to visit Auschwitz, and you can read my thoughts about that day here.

One of the exhibits at the site was about the German engineering firm that designed the mass extermination equipment. For years, the copies of the original drawings used to build this gear were kept from public view by the denier network. But eventually they were sold to someone who flipped from being a denier to someone who realized the legitimacy of these plans, and that’s how we were able to finally see them.

Several years ago I attended a lecture by Jan Grabowski, a history professor from Ottawa. He has done extensive research into Polish Holocaust history, despite the current denier political climate where he and his research associates and colleagues have been threatened and in some cases jailed for their work. Grabowski is affiliated with the Polish Center for Holocaust Research in Warsaw which is attempting to find primary source records to document what happened during those dark times. Add to this a recent survey of millennials that found that 56% of the respondents could not even identify what Auschwitz was about.

From these two personal moments, I realize that we need more evidence-based approaches and to disseminate facts rather than fiction or misdirection. That is where the social networks come into play, because they have become the superhighway of these fictions. Let’s not even glorify them by using the term “alternative facts.”

Let’s return to the report card. Sadly, only Twitter and Twitch acted against the Holocaust denial content reported. No network got any A grades across the ADL’s rubric, to no surprise. Twitch, the gaming social network, scored B’s. Twitter and You Tube got C’s. Facebook and others received grades of D.

Based on its research, the ADL has some recommendations:

  • Tech companies must make changes to their products to prioritize users’ safety over engagement and reduce hateful content on their platforms.
  • All the platforms need to do a better job on transparency. They should provide users with more information on how they make their decisions regarding content moderation. This is especially urgent, given the recent decisions to terminate several high-profile accounts.

You can read others at the link above. My final point: yes, censoring hate speech — whether it about the Holocaust or whatever — is destructive to our society. Just look at the mob that swarmed across our Capitol earlier this month. The social networks have to decide whether they can step up to the task. And while it bothers me that we have to censor the most dangerous of hate speakers, we do have to recognize their danger.

Avast blog: How to celebrate Data Protection Day

Today is known as “Data Privacy Day” in the US and in other countries around the world, and the theme chosen by the US National Cybersecurity Alliance for this year’s event is about owning your privacy and respecting others. Somehow it seems fitting, given that we have been under lockdown for most of the past year. In my post for Avast’s blog, I talk about some of the ways you can get better at protecting your privacy. But realize that it is a constant struggle, particularly as you can compromise your privacy from so many places in your digital life. The key takeaway to remember is to watch out for your privacy more than once a year.

Avast blog: The story of a video chat flaw uncovered by a teenager

You might have missed the news about a FaceTime bug that was found about a year ago. The bug enabled anyone to start a group FaceTime call with one of your contacts, even if that person didn’t explicitly accept the call. Apple disabled group FaceTime calls for a couple of days until it was able to issue a patch in iOS 12.1.4. Since then, Google security researchers have been busy finding the same bug in other group chat apps including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.

In my blog for Avast, I go into details about this bug, how a teenaged gamer discovered it, and how it was tamed.

Network Solutions blog: how to reduce privilege escalation vulnerabilities

What Is Privilege Escalation? - YouTubeOne of the most popular attack methods in IT security starts with posing a simple question: How many places in your IT infrastructure have administrative access? Unfortunately, getting to the bottom of answering this question is anything but simple, but it can be instructive. This is because understanding administrative access is perhaps one of the most important ways to defend your business computing network.

Admin access permissions are the bane of all security managers because they can serve as the golden ticket for hackers to compromise your computers. Once they figure out this privileged access, they can worm their way into your network and create all sorts of havoc. This class of problems is usually labeled privilege escalation. Fixing this will require some careful diligence, including locking down Active Directory permissions, using zero trust methods, and application sandboxes.

You can read my blog for Network Solutions here.

What’s up with WhatsApp privacy (Avast blog)

Last month, I wrote about the evolution of Instant Messaging interoperability. Since posting that article, the users of WhatsApp have fled. The company (which has been a subsidiary of Facebook for several years now) gave its users an ultimatum: accept new business data sharing terms or delete their accounts. For some of its billion global users, this was not received well, especially since some of your data would be shared across all of Facebook’s other operations and products. The change was indicated through a pop-up message that requires users to agree to the changes before February 8. The aftermath was swift: tens of millions of users signed up for either Signal or Telegram within hours of the news.

If you are interested in getting more of the details and my thoughts about whether to stay with WhatsApp or switch to Telegram or Signal, you should take a gander over on the Avast blog and read my post.

WhatsApp pushed off the change until May, which was probably wise. There was a lot of bad information about what private data is and isn’t collected by the app and how it is shared with the Facebook mothership. For example: while the change deals with how individuals interact with businesses, Facebook has and will continue to share a lot of your contact data amongst its many properties. What this whole debacle indicates though is how little most of us that use these IM apps every day really understand about how they work and what they share. My Avast blog tracks down the particular data elements in a handy hyperlinked reference chart.

The problem is that to be useful your IM app needs to know your social graph. But some apps — such as Signal — don’t have to know much more than your friends’ phone numbers. Others — such as Facebook Messenger — want to burrow themselves into your digital life. I found this out a few years ago when I got my data dump from Facebook, and that was when I deleted the standalone smartphone app. I still use Messenger from my web browser, which is a poor compromise I know.

Speaking of downloading data, I requested my data privacy report from WhatsApp and a few days later got access. There are a lot of details about specific items, such as my last known IP address, the type of phone I use, a profile picture, and various privacy settings, This report doesn’t include any copies of your IM message content, and was designed to meet the EU GDPR requirements. I would recommend you request and download your own report.

One of the sources that I found doing the research for my blog post was from Consumer Reports that walked me through the process to make WhatsApp more private. You can see the appropriate screen here. Before today, these items were set to “everyone” rather than “my contacts” — there is a third option that turns them off completely. This screen is someplace that I never visited before, despite using WhatsApp for years. It shows you that we have to be vigilant always about our privacy — especially when Facebook is running things — and that there are no simple, single answers.

Never before have we so many choices when it comes to communicating: IM, PSTN, IP telephony and web conferencing. We have shrunk the globe and made it easier to connect pretty much with anywhere and anyone. But the cost is dear: we have made our data accessible to tech companies to use and abuse as they wish.

Network Solutions blog: why are online containers so often unsecured?

In any given week, security researchers discover caches of data on cloud servers that are completely open to the public, usually containing the most sensitive information about a company’s customers. Leaks were found earlier this summer that revealed data coming from Avon as well as from Ancestry.com. This latter leak wasn’t the first breach for Ancestry — it had an earlier 2017 leak here. The problem is simple to describe and appears — at least at first glance — simple to fix. When you initially set up your online storage, you are asked who has access and what rights are accorded to each user. However, developers have hundreds if not thousands of containers to keep track of, and sometimes they forget to lock all of them down.

In my blog for Network Solutions, I discuss how to find these unsecured containers and how to prevent these leaks from happening.

RSA blog: Paying down your technical security debt

Zulfikar Ramzan mentions in his blog post from last month, “Next year, CISOs will have to grapple with the consequences of the decisions they made (or were forced to make) in 2020. One of their first orders of business will be to ‘un-cut’ the corners they took in the spring to stand up remote work.” Nowhere is this more the case than with dealing with their technical infosec debt, a term coined by Ward Cunningham decades ago.

This is a term that has taken on a greater sense of urgency thanks to the continued pandemic. (See this cartoon for a more humorous illustration.) It is basically a fancy term for taking the easy route, for cutting corners and saving time by not really looking at the longer-term consequences of certain decisions that make your IT infrastructure inherently insecure. It reflects the implied costs of reworking the code in your program due to taking these shortcuts, shortcuts that eventually will catch up with you and have major security implications in the future.

Security trainer and consultant Tanya Janca puts it this way: “Technical debt is a decision. It is a decision to put upgrading, fixing, and improving last. Technical debt is security debt, and you need to make it a personal priority to prevent it.” By choosing the most expedient route, she says IT managers accumulate lots of debt. Examples abound, including “not patching or upgrading endpoints and servers as soon as these are available, using outdated programming and development frameworks or code sources, or being slow to react to specific changes that are needed in your home-grown apps,” she says in her latest book, Alice and Bob Learn Application Security. The focus of the book is on building more secure apps, and technical debt just gets a small mention – but the book (and an accompanying series of online classes available on her website) are an excellent resource for those new to app security.

Technical debt thrives in massive bureaucracies, where buying paper clips require five signatures, or so it seems. If your enterprise makes it difficult for your developers to get the right tools and software frameworks to do their jobs, they will take the easier (and less secure) path. Debt will accumulate if the normal software development cycle is measured in months rather than minutes. Look at the major breaches of the past few years – if the technical debt at Equifax, Uber and Target had “been better understood, then perhaps it could have been appropriately managed and brand reputation could have been maintained and financial losses avoided,” said Jane Frankland, a security executive writing in 2019.

Granted, the pandemic has forced the hand of many IT organizations that can barely keep the wheels turning, let alone have more longer-term plans to keep things as secure as possible. Which comes back to Ramzan’s post.

If you want to pay down your technical debt, here are some suggestions to get started. First, examine your collaboration between your development and security teams. The more they can share best practices, the more secure your apps will become. Second, try to avoid making lots of last-minute changes to your apps, but try to consider security before a single line of code is written. One way to be more deliberate is to have a set of test suites to root out any bugs or missteps. Look at your security issues holistically, not sequentially, as Frankland suggests. (She has lots of other suggestions on her blog too at the link above.)  Create a solid code documentation culture, which avoids making quick and dirty development decisions without considering the security implications. Finally, Cunningham himself had these words of wisdom: “Don’t let the debt build up. Everyone knows the list will never be addressed. Remove cruft as you go. Build simplicity and clarity in from the beginning.”

Janca writes in her book, “When organizations spend most of their time just trying to keep the lights on, constantly fighting fires, technical debt will most certainly result in security problems as well.”

CSOonline: Top 7 security mistakes when migrating to cloud-based apps

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend. There are good and bad ways to make this migration to the cloud and many of the pitfalls aren’t exactly new. In my analysis for CSOonline, I discuss seven different infosec mistakes when migrating to cloud apps.

 

Avast blog: The rise and fall of Parler

In the past week, we have seen the takedown of a social network by its largest technology partners. I refer to Parler, of course. The events weren’t entirely a surprise, but their velocity and totality were unusual.First, Apple and Google removed the Parler apps from the iTunes and Play stores. Then, its hosting partner, Amazon, shut down its servers on Amazon Web Services. I wrote about the issues surrounding the Parler takedown for Avast here, examining its surge in popularity and its takedown, and whether this constitutes censorship.

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.