Avast blog: An elections security progress report

Twelve Tuesdays from today, the US national elections will take place, and infosec professionals are doing their best to adapt to changing circumstances brought on by both the pandemic and the tense cyber-politics surrounding them. More states are expanding mail-in voting and planning the necessary infrastructure to distribute and process  paper ballots. State elections officials are also deploying better security measures, banding together to form the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Membership in the  information sharing and analysis center has grown considerably since the 2018 election.

In this blog post for Avast, I review what is going on with election security since we last covered the topic during the March primaries. There have been numerous events in the past week that have brought new context to the intersection of technology and our elections. And I also mention several presentations given at Black Hat and DEFCON that bring us up to date on what is happening with election security.

Network Solutions blog: Mastering Email Security with DMARC, SPF and DKIM

We all know that phishing and email spam are the biggest opportunity for hackers to enter our networks.  If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking, data leakages or privilege escalation exploits. Over the years a number of security protocols have been invented to try to reduce these opportunities. This is especially needed today, as more of us are working from home and need all the email protection we can muster. In my latest post for Network Solutions blog, I discuss the trio of email protective technologies that can be deployed to make your email more secure.

Avast blog: What to do about the BootHole vulnerability

Late last month, security researchers discovered a major vulnerability in the software that controls how PCs boot their operating systems. This is one of those issues that sounds scarier than it is. Fixing it will be a major process, especially for Linux system administrators and corporate IT organizations with a mixture of different PC vintages and manufacturers. The problem has been named BootHole, and it could affect up to a billion computers.

If you are running Linux, do your homework before rebooting or upgrading so you don’t make things worse. If you are running Windows, you’re better off waiting for Microsoft to issue a fix.  In the meantime, use basic security hygiene to avoid unwanted access to your machine.

You can read more about this issue in my post on Avast’s blog here.

 

If you are unemployed, start rebuilding your personal brand

I am very fortunate: I have worked for myself for decades and have a great collection of clients that keep me busy with plenty of freelance writing assignments. But because our economy is in rough shape, there are lots of folks who are out of work right now. This made me think back to the time in 2006 when I got fired from my last full-time gig, running the editorial operations of the various Tom’s Hardware websites.

It wasn’t the first time I went to work and was told to pack up my things and leave that same day. It is a horrible feeling: you think you are worthless, that you will never work again. That you have failed. I was scared that I wouldn’t be able to make my mortgage payments. I had moved across the country to take that job, and now what was I going to do?

Unlike the astronauts, failure is an option. I wrote about this many years ago, where I described some of my numerous failures in my career, such as my books that didn’t sell or websites that weren’t successful at attracting interest.

I thought of this because I am reading an interesting book by Lauren Herring, Take Control Over Your Job Search. It is all about helping you to find a new job — not that I need to or want to make changes to my current situation mind you. I am very happy with being a full-time freelancer, and thankful that I can work for such great clients. But if you are less fortunate, or if you know someone who has gotten stuck with unemployment, this book might be worth picking up. Lauren is the CEO of a coaching/recruitment firm here in St. Louis.

Sure, there are a lot of job-search books out there. This book has some intersections with three sources: that seminal job searching book What Color is Your Parachute, Elisabeth Kubler-Ross‘ stages of grief and the mindfulness work by Jon Kabat-Zinn. But what I found interesting in Herring’s book is that she addresses the biggest issue of today’s unemployed: your emotional state of mind. Yes, you can fill out all of the Parachute’s exercises and have a sparkling resume. You can meditate daily and figure out whether you are in denial or still bargaining with your newfound unemployment. But if you approach your virtual interviews with a lack of confidence, or too much confidence, or can’t even leave your house without a boatload of fear, you won’t get anywhere. “The ability to notice, understand, and process your emotions is more critical to success and happiness today more than ever before,” she writes.

Herring describes how to respond to ten different emotions (that’s the multi-step Kubler-Ross stuff) of grief, anger, and frustration with ways to respond to them and Parachute-style exercises to get you to discover your own state of mind and ways that you can move through the paralysis towards more positive outcomes (a la mindfulness). Along the way you will be using a group of what she calls your “super team” of supporters to help you role play and arrive at better outcomes and write journal entries of your reactions. “The goal of this book is to replicate the live experience of working with a career coach as best as possible,” she writes.

Take fear, for example.To fight it, she cites several case studies of the jobless that she or her company has coached. “Potential employers can sense your fear about your job search,” which as you might imagine doesn’t bode well to get callbacks or offers. And if you find yourself taking rejection personally and feeling resentful, you need to reset these feelings. For example, you should do some research and find out if you have your facts straight.

One of the more interesting aspects is shaping your personal brand, which is something that I have written about several times, and part of some of my own career coaching presentations. Your brand needs to come through in all your digital elements: LinkedIn profile, your resume and so forth. “This is one of the most uplifting tactics your can do during your job search,” she writes, and a good way to counter some of the negative emotions you are experiencing. Being clear on your brand is a great way to define your next job, and to ensure that your performance once you get that job will measure up to the expectations of you and your manager too. It is great advice for folks who have jobs and want to move ahead too.

One missing element from this book is some specific strategies in these times when we are working from home. While some of her methods can be easily modified and she does mention things like virtual interviews, I think the topic deserves its own special chapter. Perhaps she’ll include this on her website as a supplement.

Avast blog: How to use multi-factor authentication for safer apps

Multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key (shown here) or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access. Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes.

After the Twitter hacks of last month, I took some time to review my own security settings, and found them lacking. This just shows you that security is a journey, and you have to spend the time to make it better.

I go into more details about how to best use MFA to make your social media accounts better protected, and you can read my blog post for Avast here for the step-by-step instructions.

Network Solutions blog: Cost-effective ways to improve your network bandwidth

As more of us work from home, we need to ensure more consistent and better bandwidth connections. By better bandwidth, we mean one or more of three cost-effective methods that can be used to boost your Wifi signal, reduce network latency, and improve your wireless throughput. To figure out which method or methods will work the best for you, there are some simple tests you can perform before you go shopping for new gear, including a new home router or a better Internet provider connection plan. You should periodically test your network bandwidth and throughput to ensure that you don’t have any bottlenecks, and don’t be afraid to change your provider to get something better.

You can read my blog for Network Solutions here.

Turkish tactics with blocking social media

Today in our Congress, the four executives of Big Tech (Cook, Zuck, Bezos and Pinchai) will testify about their business practices. (You can watch this live or on demand here.) I have written previously about Apple’s issues with running its App Store here. ProtonMail’s Andy Yen has nicely summarized things from his perspective — as a vendor that is trying to make a living selling encrypted mail services. If you want a longer exposition, today’s NY Times has this handy reference piece that reviews the major issues.

Sorry to hit you with so many links but I wanted to get all that down. Who knows if Congress will act to fix things with Big Tech, but in the meantime we have gotten a preview with a potent counter-example. This week the Turkish government has issued new laws that are aimed at regulating all social media platforms with more than 1M daily users — meaning Facebook (including its WhatsApp and Instagram networks), Pinterest, Twitter, Telegram and YouTube. Basically, everyone.

The regulations call for each vendor to operate a local office in Turkey and store all Turkish data in a local data center. You can imagine the potential for abuse right there. The staff of each office will also be responsible for blocking content requests from the government, and need to respond within two days or risk huge fines. The new law is supposed to go into effect October 1. For several years, Turkey has been blocking all Wikipedia content — and only lifting this restriction in January. And they have been after Netflix as well, resulting in four productions closing up. Ironically in the US, Netflix has received a boatload of Emmy nominations this week. The Times cites one statistic that the government last year blocked more than 400,000 websites.

I wanted to see for myself what actually has been going on with Turkey, and I went to the various “transparency reports” produced by the Big Tech vendors. No doubt in today’s testimony these reports will be cited several times. The reason why I put them in quotes is because figuring out any meaningful information from these reports isn’t easy, as you might suspect. Each of the Big Four vendors has a different format (innovation is alive and well) that makes it difficult to compare them to each other. But to save you the effort, here are a couple of spreadsheet fragments so you can see for yourself. The quick summary: Turkey is certainly at the top (Twitter) or nearly so of the most requests to block content. For Twitter, as you see in this spreadsheet, the two columns account for removal requests by the courts (which could be politically motivated) and government-based requests, which you can see add up to more than 6,000, roughly a third of the total removal requests sent to Twitter over last year.

Facebook has a similar spreadsheet, and Russia tops their list, but Turkey is in the top 15. Here are  Google’s page of statistics for Turkey. Overall, since 2009, the Turkish government has submitted more than 12,000 requests to remove items. But it is hard to compare them with other countries unless you bring up the separate pages, and when you do that you see different ways to display the data by country that make any comparison impossible. Apple’s page on Turkey can be found here. Again, the design of this report makes it hard to compare countries, but it looks like Germany is the top place to remove content, no matter which metric you use.

Turkey is far from an open democracy, as I am sure you realize. My point here is that while this recent legislation is poorly designed (and will no doubt be challenged and could be modified before it actually takes effect), it should serve as a warning for our government to try to do the right thing, however you want to define that. I wish our Congress a lot of luck, especially trying to do this in an election year. In the meantime, have fun trying to interpret all these numbers and making sense of them.

Avast blog: Why Emotet remains an active threat

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out life as a simple banking Trojan when it was created back in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MUMMY SPIDER. What made Emotet interesting was its well-crafted obfuscation methods. Proofpoint posted this timeline:

Over the years, it has had some very clever lures, such as sending spam emails containing either a URL or an attachment, and purport to be sending a document in reply to existing email threads.

You can read more on Avast’s blog here.

Network Solutions blog: Tools and tips for best practices for WFH network printing

Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. In my latest blog post for Network Solutions, I suggest several strategies to help you understand the potential threats and be able to print from home securely, including what IT managers can do to manage them better and what users can do to avoid common security issues.

How cybercrime has become boring work

To those of us who have seen one of the classic cybercrime movies, hackers are usually social misfits with an ax to grind and come with plenty of attitude. A new academic research paper takes issue with this profile, and indeed its title is somewhat intriguing: Crime is boring.  Let’s take a closer look.

The paper begins by describing how cybercrime has shifted to more cloud-based specialized and subscription services, mirroring the general direction that has happened in the legit IT world. Several years ago, cybercriminals sold their malware — now you can find just about anything for free on open-source marketplaces — again, mirroring this general trend in the legit world.

But as the tech has evolved, so has the units of work done by the typical cybercriminal. These jobs are very similar to maintaining the back-office infrastructures of an insurance company or any global business. The majority of people involved in cybercrime are doing the grunt work, such as evaluating different online services, running various scams and acting as resellers. In the past, cybercriminals could be found on dial-up BBS’ or IRC channels. Now they populate Discord, Telegram and other online chat groups.

As a result, the researchers from University of Cambridge (UK) Cybercrime Center have found that “there has been a change in the kind of work involved in the typical cybercrime economy.” Far from the exciting dramas depicted in the hacker movies, much of the work has become fairly routine and even dull, “the underground equivalent of a typical office job.” Or at least the office jobs that we once had at the beginning of the year.

The research involves interviewing admins who operate a variety of several cybercrime services, such as booters and stressers (which form the underpinnings of denial of service attacks). One person was quoted as saying “Creating a stresser is easy. Provider the power to run it in the tricky part.” They describe three malware situations in more detail: the botnet herders, the evolution of the authors of the Zeus banking trojan, and underground marketplaces hosted on the dark web. The booter services have something in common with legit web services: they need a solid customer-facing portal to track users, collect payments and manage the actual attacks. Some of these booters operate more than a dozen different websites that need to be maintained and to be configured and tested for continual operations. This often means a substantial investment in customer support, such as running a problem ticketing and tracking service or realtime text chat. Sound familiar?

The research pulls together a set of eight key features of the unknown cybercrime worker, ranging from support for broader illegal activity to diffusing risk and maintaining stability and transparency of the criminal infrastructure. I have never thought about cybercrime in this fashion, and it made for some interesting reading. The authors also mention that the often-publicized crackdowns on online criminals can “in fact unite communities, giving them a common sense of struggle and persecution” and purpose. Perhaps a different strategy of having law enforcement interventions that focus on the economics of boredom and encouraging burnout could be a viable substitute instead of the “whack-a-mole” current approach.