Avast blog: It’s time to consider getting a Covid-19 vaccine passport for travel

Posted on by
Reply

As the number of people getting vaccinated against Covid-19 rises, it’s time to review the ways that people can prove they have been inoculated when they want to cross international borders. These so-called “vaccine passports” have been in development over the past year and are starting to go through various trials and beta tests. The passports would be used by travelers to supplement their actual national passport and other border-crossing documents as they clear customs and immigration barriers. The goal would be to have your vaccination documented in a way that it could be accepted and understood across different languages and national procedures.

In my blog for Avast, I talk about how these passports (such as the CommonPass open source one being developed above)  could prove to be a solution for travelers crossing borders, but they also come with their own set of challenges

 

Kaspersky blog: Despite all the cool tools, tech collaboration is still missing something

Posted on by
Reply

Since the pandemic began, organizations have been working hard on how they collaborate. But something’s still missing, and it’s to do with people. Looking at successful tech and creative collaborations of the past, common trends emerge. Any organization can use these to kickstart better collaboration within and between their teams. I highlight a few of these classic great situations, including the effort to produce new Covid vaccines, how the Unabomber was found by the FBI, the Bletchley Park code-breakers, and others for my latest blog post for Kaspersky. 

Where is your phone central office?

Posted on by
2

I have written before about my love affair with telephone central offices. This past week, we all now know where Nashville’s CO is located, and we mourn for the people of that city. Nashville is a city that I have been to numerous times, for fun and for business. Little did I realize as I walked among the honky tonk bars and restaurants on Second Street that I was passing by its main CO, which offers a wide range of communication services.

Like the CO that was buried by the collapse of the World Trade Center back in 2001, there was a lot of water damage from the firefighters, and the Nashville repairs were hampered by having to work around the crime scene investigators. But still, within a few days AT&T was able to get various services back up and running, including 911 and airport communications, along with wired and cellular services. The company deployed a series of portable cell towers around the region. The lines that went through this CO connected not just Nashville but areas that were in adjoining states.

This is the conundrum of the CO: in the early days of telephony, they had to be located in densely populated areas, because stringing copper lines from each termination point cost money. To shorten the lines, they had to put them near the people and businesses that they were connecting. This means that you can’t easily protect them with physical barricades a la Fort Knox (or other government buildings). Plus, there are more than 20,000 COs in the US by some estimates. That is a lot of real estate to protect or potentially relocate.

COs are also relatively easy to find, even though many of them are located in nondescript building in major urban areas. My own CO sits like Nashville’s across from a similar collection of restaurants and commercial businesses. There are websites lovingly constructed by other fans of telecom, such as this one or this one that show photos of the actual buildings (although you will have to work a bit to find their street addresses). In my blog post from 2018, I posted pictures of several COs that I have been to, including one on Long Island where I brought my high school networking class on a field trip back in 2001.

Whether or not the bomber was intentionally targeting AT&T’s CO or not, one thing is pretty clear to me: these COs are the weak points in any terror campaign. I don’t have any real solutions to offer up here, just an aching spot in my heart for the men and women that have built them and keep them running.

N.B. This is the last day of a horrible year, a year punctuated with my own personal health story that had nothing to do with Covid. I want to send out a note of thanks to all of you that took the time to send me your support, and hope that you found your own support team to help you along as well. Here is my wish that 2021 will be better for all of us, and that we can support and care for each other to make it so.

Red Cross blog: Dennis Grooms, retired no more!

Posted on by
Reply

You might think that after a freak accident falling 70 feet when trying to trim one of his trees would be enough of an incentive to retire, but then you probably don’t know Dennis Grooms. Fortunately, Grooms managed to survive his 2009 fall. But in the process, he managed to break both legs and had other injuries as well as come out of a multi-day coma and chalk up a three months’ stay in the hospital. The fall did have one benefit: in his retirement, he was able to step up his volunteer efforts at various disaster deployments, both for the American Red Cross and other relief agencies.

I wrote more about his experience with ARC and how he is anything but retired.

 

 

Who benefits most from Facebook: the right or the left?

Posted on by
5
What I will take away from 2020 — apart from the worldwide pandemic and my own health issues that had nothing to do with it — is how Facebook solidified its position and the primary incubator for hate groups. And despite repeated attempts to try to prove otherwise, it continues to fan the flames of hate from both sides of the political spectrum. Instead of helping free speech, it is poisoning the world with its memes and encouraging like-minded people to join in its toxic spew.
This piece by Adrienne LaFrance in the Atlantic goes further, saying that Facebook has become the embodiment of the “doomsday machine,” first made popular during the Cold War and the central plot device of Dr. Strangelove, a movie we should rewatch in this new context. “Facebook does not exist to seek truth and report it, or to improve civic health, or to hold the powerful to account,” she says. “It has the power to flip a switch and change what billions of people see online. No single machine should be able to control so many people.”
Does Facebook cater more towards the left or right of the political spectrum? Earlier this month, we were treated (if you’ll forgive me) to both Zuck and Jack Dorsey being grilled by the Senate Intelligence Committee. (Here is the coverage by the NY Times.) Half of the questions asked by the Republican Senators were about censoring conservative voices and what political parties were supported by their staffs. “Facebook and Twitter have maintained that political affiliation has no bearing on how they enforce their content moderation rules,” said the Times. I would agree: they support hate from both sides of the political spectrum.
If you examine Kevin Roose’s Top 10 list of Facebook posts on Twitter, you can see if you go back to before the election that these lists were dominated almost completely by right-wing groups. More recently it has been more evenly split right/left, but still there are days where only a couple of the top 10 are from moderate or lefty outlets. This article from October documents how Facebook routinely sets rules for content moderation, then breaks them in favor of posting right-wing viewpoints. This has resulted in an outsized reach and engagement, which eclipse more centrist or left-leaning POVs.
Going back to the summer of 2019 when there was that White House right-wing blogger summit, we saw a marked spike in their support as documented by the Washington Post.
But this issue is getting to be old news. Just this past week, Facebook put up this web page, accompanied with full-page newspaper ads claiming that they are on the side of small businesses. They are going after Apple’s attempt to eliminate tracking cookies and make your mobile activities more private. Apple has proposed a pop-up warning when it detects a cross-site cookie, with this mockup. One analysis of the conflict says this illustrates Apple and Facebook’s different approaches to privacy and whether endusers or advertisers will foot the ultimate bill. Regardless, the irony and shameless factor from both companies is too much.
I usually come to this point in my posts where I offer some suggestions. Sadly, while our Congress continues to ask the wrong questions, there are no easy ways out of this. And even though we have destroyed many of our nuclear warheads, with the billions of us fueling social media’s every moment, there are far too many silos that are distributed across the planet, ready to launch their hateful rhetoric at the push of a button.

Avast blog: The dangers of Adrozek adware

Posted on by
Reply

Microsoft has found that various browsers are being targeted with ad-injection malware called Adrozek. At the attack’s peak in August, the malware was observed on more than 30,000 devices every day, according to the researchers. The adware, as it is called, substitutes phony search results that when clicked will infect your computer.

You can read my analysis of the malware and what you can to prevent it in my latest blog post for Avast here.

Network Solutions blog: The Best IT Certifications to Maximize Your Personal ROI

Posted on by
Reply

As teaching methods advance and especially during the pandemic, online learning is starting to approach a physical classroom experience, and it’s great for conceptual learning. A good online learning experience should include not only content, but should also feature practice drills, integrate with real-world case studies, and contain a social component to make learning more effective. I cover some of the things to look for in selecting the right professional IT certifications to increase your potential value to your company.

You can read my blog for Network Solutions here for more about this topic.

Instant Messaging interoperability is still a big ask

Posted on by
5

Back in 2006, I wrote various articles about the interoperability of instant messaging (IM) among various proprietary systems. Back then, we had the likes of AOL IM, Skype (before being acquired and perverted by Microsoft), Google Talk (before being perverted by Google into its Hangouts) and Apple’s iChat (before being perverted into iMessage). This was before WhatsApp and various Chinese products were even created and are now the default IM and telecom tools that are used by millions.

Back then, the major messaging tool was SMS. But in the US, it was only after 2000 when the various cellular providers could exchange messages across the different cellular provider networks. Fortunately, the EU had led the way in figuring out that their systems had to talk to each other, largely thanks to a single cellular standard that was then adopted around the world.

Today we have the beginnings of a new interoperability effort, once again being pushed by the EU digital regulators. This time it is under a new series of laws, one of them called the Digital Services Act. The idea is to force the various IM vendors into playing nice with each other. While the proposed EU regs haven’t yet been set, they are concerned about the concentration of power and market share by Facebook.

If the EU is going to solve IM interop, they will need to look at various dimensions, as I first defined them back in 2006:

  • Text messaging, of course, among the various IM networks (as well as among the SMS networks too) — both in 1-to-1 and among various groups,
  • File transfer, the ability to move digital files, such as documents and photos, from one IM network to another,
  • Multi-party video and audio conferencing, with participants connecting to different IM networks,
  • Audio chats, similar to regular one-to-one phone calls, and
  • Chat, messaging and voice mail recording features too.

Granted, that is a big ask. But if we are going for interop, we might as well stake out the territory.

Most of the products that I mentioned back in 2006 have changed significantly as I hinted at in my introduction. They were designed in an era when interop wasn’t even thought of as a possibility. The sad reality is that it still isn’t.

As I said, the genesis of today’s IM interop is simple: Facebook now owns everything, and it is time to make a more level playing field. What the capital markets couldn’t accomplish, we will now have government to the rescue. Does anyone think this is going to work? But don’t despair, let’s look at what is happening with Microsoft. Their Teams product has begun to move in the right direction by working with ways to interop with Webex video conferencing equipment. This is because Teams is playing catchup with Webex and needs to gain market share. Teams is also competing with IP telephony, but let’s put that aside for another blog post.

There are other ways around IM interop, and one way (which was attempted back in the early 2000’s) was to have multi-lingual IM apps. Two of them that are still around are:

  • Adium, which supports AOL IM, Twitter, and Google Talk and has some basic support for WhatsApp and Telegram, and
  • Trillian, which requires a separate server to provide the connections among services.

They are still around largely because they have a dedicated crew of volunteer programmers willing to keep them current. Most of the other multi-lingual commercial products have gone by the wayside. Again, will EU regs help or hinder (or not have any effect) on this market? It will be interesting to watch these developments.

RSA blog: Securing chaos: How Security Chaos Engineering tools can improve design and response

Posted on by
Reply

A large portion of security professionals think that their job is to prevent bad actors from gaining access to trusted resources. Yes, in isolation that is a true statement. But the implications of that position hide what is really supposed to happen. Instead, it is the job of infosec pros to ensure only appropriate actors can access trusted resources. One way this is accomplished is through what is called Security Chaos Engineering, which tests security resilience before some attack happens. It is an evolution of the pioneering work that was first done at Netflix many years ago. Now there are a number of similar products and related practitioners in this field.

The concept is simple to explain, but exceedingly hard to implement. One reason why this type of engineering mindset is needed has to do with the way that breaches are understood by corporate workers. Too often we don’t think about our IT infrastructure holistically, and when a breach happens we try to just plug the hole and move on. How many post-breach memos have you read where the author says, “we are taking steps to ensure this never happens again?” Technically that is the right approach: the next breach will happen somewhere else in our network, caused by some other “hole.” Another reason is that the average software stack has gotten so complex and distributed that it’s hard to comprehend and defend. It isn’t a matter of if you will have a breach, but when and how and what part of your systems will be compromised.

Adopting chaos engineering means that you look for potential points of failure across all of your IT systems. Part of this should be inherent in any lifecycle governance of your systems. But part is also being clever about how you test your systems. If you think you have this covered with penetration testing, you need to think again. The usual pen test engagement is a single moment in time when a SWAT team inhabits a conference room (perhaps now they do this virtually) and tries their mettle against your security defenses. Chaos engineering is a continuous practice, whereby your team is continuously testing your systems and software. Sadly, the old methods don’t work anymore. For example, just because you bought a firewall several years ago and have spent time defining a rule set doesn’t mean these rules are relevant or effective today. Your systems might be completely different and no longer protected. And these days, with rising cases of ransomware and data exfiltration, you want to catch these attacks before they do real damage.

Netflix was one of the first places to make overall chaos engineering popular several years ago with a tool they called Chaos Monkey. It was designed to test the company’s Amazon Web Services infrastructure by constantly – and randomly – shutting down various production servers. This always-on feature is important, because no single event will do enough damage or provide enough insight to harden your systems or find the weakest points in your infrastructure. Now that we live in the era of complex security events that leverage multiple malware techniques which are part of a coordinated campaign, we need to design and test for more sophisticated and longer-lasting attacks. We need better tools and that is where Security Chaos Engineering can help. In addition to the open source tools that came from Netflix, there are commercial products such as Verodin/Mandian’s Security Validation, SafeBreach’s Breach and Attack Simulation, and AttackIQ’s Security Optimization Platform, just to name a few of them.

Customers who have used these tools suggest the following best practices:

  • Have an action plan: don’t change more than one variable at a time
  • Define the rules of engagement (including the scaling up of your systems) so you maintain control when things go south
  • Know your “blast radius” and the disruptive implications of your tests
  • Use a tool that integrates with your SIEM logs (for example, SafeBreach can work with RSA’s NetWitness Platform)

This last item bears further explanation. A SIEM log can easily be overlooked, especially if you are hunting for a single entry in a massive dataset. Security Chaos Engineering tools can automatically find these entries and advise you about their implications – such as changing a too-loosely-defined software access roles policy, for example.

If you haven’t yet examined any of these chaos engineering tools – both for general systems analysis and for security-related issues – now might be the time to take a closer look. It is time for every security team to change their mindset from patching as a result of a security event to becoming more proactive in anticipating future attacks.

RSA blog: Time to give thanks and review our predictions

Posted on by
Reply

It is a bit risky writing about the year’s trends and predictions this time around. Certainly, the Covid pandemic has dominated our lives during the past year and thrown many of our predictions out the window. But re-reading my RSA blog post from a year ago, there are still these two themes which are very much at the forefront.

  • Better authentication. In the past year, we saw Apple wholeheartedly embrace FIDO and new implementations that extend its features to web-based authentication. Both will go a long way towards implementing this standard. And support for multi-factor authentication continues to improve too, although it still is far from universal. Only 10% of enterprise users use any form of multi-factor authentication for any of their application logins. Given the popularity of smartphones, installing an authentication app on your phone is the easiest form of protection you can get. But wait, there is more bad news: less than 20% of companies in most industries are protected with email authentication tools such as DMARC and SPF. Sadly, most state and local government domains remain unprotected with these technologies.
  • Ransomware continues to rise. Various reports (such as this one) show a rise in the number and severity of these attacks, with new exploits and variants being seen every week. Some ransomware is designed specifically to target machine learning data, so that models will report bad results and poison automated security solutions.

But let’s look forward, not backward, and certainly we should discuss where we go with Covid. Now that everyone is working from elsewhere, endpoints are being shared across families, making them more vulnerable to exploits. Google has seen 1M daily phishing attempts across its email infrastructure. And there are tons of phishing lures with Covid-related subject lines, or messages that offer free testing or deals on travel. The virus also demonstrated why business continuity and better risk management decision-making is essential.  Security awareness training now starts with the home, and if you are sharing your networks with your family, they need to be trained as well.

RSA’s Anti-fraud group has also found an increase in QR code fraud. These codes became more popular this year to try to promote contactless retail shopping or dining experiences. The bad guys quickly picked up on this trend. They trick users into downloading malicious programs or to use QR codes for a new type of phishing attack that bring users to a malicious copycat website. The above link has a bunch of handy suggestions to discern whether your QR code will bring you to potential malware-infested sites and other tips on how to be more aware of malicious codes.

What does the future hold? We should expect more high-profile victims in 2021. In 2020, Twitter, Zoom, Marriot and Nintendo were the top victims of various social engineering and credential stuffing attacks. None of these were technically sophisticated – the Marriott attack, for example, was successful because it managed to compromise just two employees’ accounts. Better authentication and more security awareness training could have prevented this.

A second issue is that of deep fake videos. What began as innocent and simple photo editing software has evolved into an entire industry that is designed to pollute the online ecosystem of video information. The past couple of years has seen advances in more sophisticated image alteration and using AI tools to create these deep fakes. I also see improvements to that will be harder for recipients to discern, and fakes that will quickly spread across social networks.