Microsoft recognizes that password expiration policies don’t help — they hurt

Recognizing that mandatory password changes don’t help an organization’s security posture, Microsoft last month announced that the next iteration of Windows 10 Build 1903) would no longer require periodic password changes.

In a post on Microsoft’s Security Guidance blog,

There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.

This reinforces a larger important point about our baselines: while they are a solid foundation and should be part of your security strategy, they are not a complete security strategy. In this particular case, the small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management. Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards. It simply reinforces that security cannot be achieved entirely with baselines.

Props to Microsoft for making this change.

Password expiration policies are not unlike anti-piracy measures for music and movies: They were conceived and are meant to deter bad guys, but they end up getting in the way of the good guys while failing to stop the bad guys.

Just as no one wants to have to spend thirty minutes downloading and installing a firmware update for their Blu-ray player to make a disc playable, no one likes having to change their password when they log in simply because some amount of time has passed.

If a password is set to expire every thirty days, then that means a user will be asked to change their password twelve times every year. To deal with this annoyance, users can be expected to — as said — make “small and predictable” alterations to their previous password.

A strong password stored securely in an electronic vault is better than a password that is frequently changed. Instead of setting and insisting on password expiration policies, information technology departments should require the use of password management tools, and join independent cybersecurity professionals in encouraging everyone to also set up their own password management tool for personal use.

POSTSCRIPT: Need a password manager for personal use? Try Dashlane or 1Password. Need one for a small team that doesn’t cost anything? Give CommonKey a look.

Intel discloses another major flaw in a significant number of its CPUs

A year and a half after the words “Meltdown” and “Spectre” entered the cybersecurity vernacular, chip maker Intel has disclosed another major vulnerability affecting a significant number of its CPUs. Here’s Wired:

Today Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel’s chips. It’s four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data from a computer’s CPU to an attacker.

It’s become fashionable in cybersecurity circles for exploits and vulnerabilities to be given names (think Heartbleed and WannaCry). The attacks disclosed today by Intel have been given the names ZombieLoad, Fallout, and RIDL, or Rogue In-Flight Data Load by researchers.

Intel, meanwhile, came up with a much duller name to describe the vulnerability: Microarchitectural Data Sampling, or MDS, which would fit well into a paragraph loaded with other corporate mumbo-jumbo.

How do the attacks work? Here’s an explanation from the researchers:

The RIDL and Fallout speculative execution attacks allow attackers to leak confidential data across arbitrary security boundaries on a victim system, for instance compromising data held in the cloud or leaking your information to malicious websites. Our attacks leak data by exploiting the newly disclosed Microarchitectural Data Sampling (or MDS) side-channel vulnerabilities in Intel CPUs.

Unlike existing attacks, our attacks can leak arbitrary in-flight data from CPU-internal buffers (Line Fill Buffers, Load Ports, Store Buffers), including data never stored in CPU caches. We show that existing defenses against speculative execution attacks are inadequate, and in some cases actually make things worse. Attackers can use our attacks to obtain sensitive data despite mitigations, due to vulnerabilities deep inside Intel CPUs.

Intel’s newest CPUs don’t suffer from MDS vulnerabilities, but most Intel CPUs made since 2008 do. Chips made by ARM and AMD are not affected.

The researchers recommend disabling Intel® Hyper-Threading Technology to mitigate the vulnerabilities. However, hyper-threading is a crucial chip technology underpinning the use of virtual machines on systems in datacenters around the world. It can’t be disabled without a cost.

If you’re wondering whether a desktop or notebook computer you have is vulnerable, the researchers have provided a pair of software utilities for Windows and GNU/Linux machines which can tell you.

Intel has published a statement detailing its response here.

Apple has released an update to macOS Mojave to push microcode fixes to affected Macs. If you own a Mac, update to macOS Mojave 10.14.5 now.

Canonical has pushed microcode fixes to half a dozen versions of Ubuntu, including the two most recent Long Term Support releases.

And Microsoft has pushed microcode fixes for several flavors of Windows, including Windows 10 and Windows 7.

Microsoft also took the rare step today of releasing patches to several very old versions of Windows to patch a different critical vulnerability affecting remote desktop services. More information is available here.

Now is a very good time to install updates to your operating system!

Flying this summer? Here are some tips for staying safe and comfortable

Taking to the skies this summer — or sooner? Whether you’re a seasoned jet setter or a more infrequent traveler, you may be interested in strategies to improve your experience of going from Point A to Point B. I’m a firm believer in the concept of enjoying the journey. Air travel can be unpleasant, but it doesn’t have to be. Here are some ways you can make your next flight more relaxing… or at least less painful.

Hydration

You’ll feel better if you stay hydrated during your travels, so drink water whenever you feel thirsty. Water is the only thing that will actually quench your thirst. Stay away from alcoholic beverages while in the air.

“The air in an aircraft is very dry and, coupled with the diuretic effect of drinking alcohol; you may become dehydrated much faster than you would on the ground,” KLM explains. If you want to feel your best during your trip and minimize the toll traveling takes on your body, then skip the alcohol.

I also recommend staying away from carbonated beverages (unless you have an upset stomach, in which case you may want a carbonated beverage).

Most airlines offer juice (apple, orange, cranberry) in addition to water from their beverage carts. If you want a flavored beverage, choose fruit juice instead of soda or an alcoholic beverage. You don’t have to worry about ending up with a cup of Tang: In my experience, most U.S. airlines nowadays are serving one hundred percent juice out of large juice boxes, not juice made from concentrate or fake juice made with powders.

Skip the ice whenever you get a beverage from a flight attendant.

While the water airlines serve is typically bottled, the ice could have been made in an ice machine using tap water that came out of the airplane’s water tanks… and with the notable exception of Southwest, airlines don’t have such a great track record when it comes to tap water quality.

A 2004 study by the Environmental Protection Agency (EPA) found that one in eight airplanes had water that totally failed safety standards. A more recent round of testing, in 2013, showed not much had improved.

Also, by skipping the ice, you’ll end up with an empty cup when you finish your beverage (ideally water or juice, as mentioned) instead of a cup with still-melting, possibly also sticky ice cubes that could spill.

Avoid coffee and tea for the same reason.

To ensure that you have water at the gate as well as in the air, bring an empty Kleen Kanteen or a HydroFlask with you in your carry-on.

After you pass through the security checkpoint, fill your water bottle using either a filling station next to a drinking fountain or ask someone working at a bar or restaurant in the concourse to fill it. Don’t use a drinking fountain spout because some people put their mouths right on the spout.

Food

If you want to be comfortable while in the air, be careful what you eat while at the gate and on the plane. In addition to avoiding alcohol, it’s also best to avoid greasy and sugary foods like burgers or pizza along with cruciferous vegetables, such as broccoli and cauliflower.

And, to avoid irritating your neighbors, I suggest skipping smelly foods like garlic, canned fish (sardines, tuna, etc.) and onions.

Stay away from chewing gum, too… it can contribute to bloating. (Yawn, as deeply as you like, to pop those ears safely and effectively.)

Here are some foods that you can enjoy while on the plane. You should bring snacks as well as an entree or two for a longer flight.

  • Cherries. They’re one of the few natural sources of melatonin.
  • Chicken and vegetable wrap. This can be your main course.
  • Pasta salad. If you’re a vegan, this could be your main course.
  • Bananas. They go down easy and are a good source of potassium.
  • Lemons. You can use them to flavor your water if you want.
  • Whole grains like quinoa and brown rice for an energy boost.
  • Protein bars for a non-messy treat in between meals.

Essential supplies

When flying, there are some must-haves that you’ll want to keep with you besides that reusable water bottle (which is the key to staying hydrated).

  • Something to read. You can’t use a laptop during takeoff and landing, but you can read from a printed publication or handheld. To minimize weight, bring a magazine, a tablet, or an e-book reader instead of books. If you do pack a book, make it a paperback.
  • Disinfecting wipes. Airplane seat-back tray tables are dirtier than your toilet at home. Disinfect them, your armrests, and seat buckle as soon as you’re seated with Clorox on the go wipes or an equivalent product.
  • External battery. Not all planes have USB charging ports, so it’s a good idea to have an external battery pack with you, like the Anker PowerCore series.
  • Noise canceling headphones or earbuds. There’s no shortage of options right now when it comes to noise canceling headphones and earbuds. Most do an excellent job of filtering out the hum of a jet engine. Connect the pair that’s right for you to your smartphone or an inexpensive audio player like the Sansa.
  • Sleep kit. If you want to catch some Z’s while at 30,000 feet, pack an eye mask and a neck pillow.

Perhaps the most important thing to do is to give yourself plenty of time to get to the airport and arrive at the gate. Remember, you can always read a book or work on your computer at the gate until it’s time for your flight.

If you’re not stressed out, you’ll feel better and have a more pleasant trip.

Happy travels!

How to give your WordPress site a security checkup

Are you responsible for a self-hosted WordPress site?

If so, one of the most important things you can do to keep it healthy is to give it a security checkup and make sure you’re maintaining it in accordance with all of the recommended best practices. That way, its likelihood of being hacked by the Internet’s hive of scum and villainy is reduced.

Here’s a step-by-step guide to giving your site a security checkup. (Most of these steps are adapted from the Hardening WordPress presentation that I’ve been giving to members of the WordPress community for several years.)

Step One: Backup your site!

There are several ways to manually back up. From within WordPress, backing up can be done with one of many plugins available from the WordPress repository. If you have shell access, making a manual backup is as easy as running a couple of commands. For example, from the directory above your site root, you could run:

bash:~$ tar -zcvf MONTH-DAY-YEAR-Site-Backup.tar.gz public_html/

Then, to make a snapshot of the database (presuming you’re using MySQL):

bash:~$ mysqldump -h hostname -u username -p databasename > MONTH-DAY-YEAR-Site-Database-Backup.sql

If wp-cli is installed on your server, exporting a database becomes even easier:

bash:~$ /home/user/path/to/wordpress/ wp db export

A few words of caution: Do not keep backup files in your publicly accessible web space unless your host doesn’t give you access to the directory above your web root. Leaving backup files in your publicly accessible web space jeopardizes the integrity of your site and is a surefire way for your credentials to leak. If backups must be stored in your web space, make sure access to that folder is restricted. On a server running Apache, this can be done by setting directives in an .htaccess file.

For bonus points, verify the integrity of the backup by using the archive files you made to create a local copy of your WordPress installation.

It’s nice to be able to know how to make a backup on demand, but the key to ensuring backups get made is automating them. This saves time and ensures that a copy of the site is being made at regular intervals.

To automate backups with shell commands, simply create a cron job by editing crontab or using your host’s cron job manager. With a plugin, you’ll need to visit the configuration page to specify how often backups should be made, and where they should be stored. You should have a set of backups stored locally on the server, and another set stored offsite in a secure cloud repository. That way, in the event disaster strikes and your host’s datacenter is beset by a catastrophe, your data is safe.

For most WordPress users, a plugin is the easiest and best way to automate and manage backups. I recommend UpdraftPlus.

Step Two: Install pending updates (if any)

Once your backup is made, you should install any pending updates to WordPress, your installed plugins, and your installed themes. You can do this using wp-cli, or from within WordPress using the built-in Updater. If you have plugins or themes installed that you bought from an online marketplace, you should go back to that marketplace and see if there are updated versions available. If there are, download them and install them by deactivating the version on your site, deleting the old code, and uploading the new version.

Some premium plugins and themes can be automatically updated from within WordPress just like ones installed from the WordPress.org repository, but access to automatic updates usually requires a license key from the developer. Consider renewing any subscriptions to premium plugins that have expired — it’ll make installing updates much simpler in the future.

Step Three: Scan your site for problems

With backups made and updates installed, it’s now time to scan your site for problems. There are several security suites available for WordPress; my favorite is BulletProof Pro. (There is also a free version of BulletProof, and that’s better than nothing, but it doesn’t have all the features of BulletProof Pro.)

Install BulletProof Pro if you don’t already have it in your site, and put the scanner to work to see if there are any issues that need your attention.

If your site has been around for a few years and has a bunch of plugins installed, chances are good that you’re using one or more abandoned plugins. This is a common security issue with WordPress websites.

There’s no need to panic if you discover you’re using a deprecated plugin, but you should take steps to switch over to alternatives that are currently maintained. If you are notified of an abandoned plugin (which is one of the most common results I see in a scan of an otherwise healthy site), head over to the WordPress.org repository to look for a replacement.

Again, chances are, you’ll find one that does pretty much the same thing as the one that is no longer maintained.

Step Four: Make sure your site is protected by a firewall

One of the capabilities you get with BulletProof is the ability to deploy a firewall. Deploying a firewall is one of the most important ways you can protect your site.

Usually, deploying BulletProof’s firewall is as simple as clicking a few buttons and running the setup wizard. At other hosts, some intervention on your part may be required to enable extended protection mode and realize the full benefits of the firewall.

Step Five: Change your passwords

Since you’re giving your site a security checkup, take advantage of the opportunity to change all your hosting-related passwords now.

Consider installing a password manager like Dashlane or 1Password to securely generate and store your new passwords. A manager greatly reduces the complexity and anxiety involved in coming up with strong passwords and keeping them safe. You should have unique passwords for:

  • your hosting control panel
  • your database (MySQL, MariaDB, etc.) user
  • your WordPress account(s)
  • any additiontal shell accounts or FTP users you have

Step Six: Turn on multi-factor authentication (MFA, also called 2FA)

Many hosts will let you add another layer of protection to your site by turning on multi-factor authentication (MFA), also called two-factor authentication.

To find out if your host will let you set up MFA to restrict access to your control panel, check their support center or knowledge base for an article about “MFA” or “2FA”.

With MFA, access to your online accounts is secured by something you *have* in addition to your password. That something could be a mobile device (the most common second factor), or a hardware authentication module like a YubiKey.

If you’re using your mobile device, I recommend using an authenticator app instead of using SMS (short message service) if possible, as authenticator apps are more secure.

The three most popular authenticator apps currently available are Google Authenticator, Authy, and Duthio.

Do you use Jetpack? Turning on multi-factor authentication at WordPress.com will help protect your site from the nasty Jetpack remote management attack that’s afflicted a lot of WordPress websites recently.

To turn on multi-factor authentication (also misleadingly called cell-phone sign in by some) for your WordPress installation’s administrator accounts as well, there’s a nfity plugin simply called Two Factor, by George Stephanis. Unlike other plugins purporting to provide 2FA, George’s supports YubiKeys, so you can use a physical key as your second factor. Physical keys are the most secure 2FA method, followed by smartphone authenticator apps like Twilio’s Authy.

Step Seven: Configure and use HTTPS on your site

Help encrypt the Web by configuring and using HTTPS (HyperText Transfer Protocol Secure) on your WordPress site. When you make the switch to HTTPS, you’ll no longer be sending your username and password in the clear when you login to manage your site, and your users’ comments and form submissions will likewise be encrypted while in transmit between their computer and your site’s server.

Switching to HTTPS is one of the most important ways you can protect your WordPress site. Switching to HTTPS now will also ensure you’re prepared for the day when Google Chrome (and other browsers) begin marking non-HTTPS pages as “Insecure”, which is due to happen this September.

The process for configuring HTTPS varies by host, so as with the previous step, you’ll want to check your provider’s documentation.  You will need to obtain a secure certificate from a certificate authority to securely access your site in a browser without triggering a scary-looking warning.

Certificates can be obtained for free through Let’s Encrypt or for a fee from a number of traditional certificate authorities. Note that some hosts require you to buy a certificate through them in order to set up HTTPS on the server that serves your website.

After you’ve configured HTTPS, you’ll need to make changes to your site to enforce its use. First, modify your site’s wp-config.php file to require HTTPS for all administrative sessions by adding this constant:

// Require encryption for administrative sessions and logins
define('FORCE_SSL_ADMIN', true);

This is the recommended way to force HTTPS on your site’s backend because it doesn’t depend on a plugin being active.

Note that setting this constant does not require HTTPS on your site’s frontend… the public-facing part of your website.

To force HTTPS on the frontend, start by going to your site’s Settings (you’ll want the General screen) and changing the site and Home URLs to begin with https:// instead of http://. You will be immediately logged out once you save this change, and will have to login again.

You’ll then want to use a plugin like Velvet Blues Update URLs to replace all the hard-coded http:// URLs in your site with https:// URLs. If you don’t do this, some of your site’s resources, like images and scripts, may not load securely.

Always make a fresh backup of your site (repeating what you did in Step One) before you run a plugin like Update URLs.

The last step is to browse around your site and look for any mixed-content warnings. You may need to modify your theme files or theme settings to get rid of a final http:// reference or two.

Made it through all that? Good work!

Completing the steps above is the ticket to a safer, happier WordPress site. If you’d previously completed some of the steps, congratulations on completing the remaining ones. And if you’ve never done work to strengthen your site’s security posture before, but have been inspired to do so, I hope this post helped you take action.

Don’t let an injury to one become an injury to all: Strategies for safely managing multiple sites

If you’re adept at building websites, chances are excellent that you have more than one of them in your care, whether you own them yourself or whether you simply manage them on behalf of a friend or a business/nonprofit/community group that you have a relationship with.

Ensuring that all the sites you’re responsible for are well maintained is no easy task, especially when it’s a large number.

But it’s really important, because maintenance and administration go hand in hand with security. A neglected site can become a serious liability — and not just to the entity that it’s associated with. Since a hosting account is only as strong as its weakest link, it’s very important to ensure that no site gets left behind when it comes to regular maintenance and administration.

Here are three strategies you can use to minimize your risk of an injury to one site becoming an injury to all sites in your hosting account.

Strategy #1: Isolate your sites from each other

The first strategy you should consider to protect multiple sites that are sharing a hosting account is to isolate them from each other to the fullest extent possible. This way, if one site gets infected, the ability for the infection to spread is minimized. This strategy only works for sites that reside at different domains or subdomains (for example, mysite.tld and subsite.mysite.tld, or mybusiness.tld and hobbysite.tld).

You need to do several things to effectively wall off sites from one another:

  • Use unique, strong passwords for each site’s WordPress accounts
  • Associate each site with its own unique database and database user
  • Run each site under a separate shell or FTP/SFTP user (be aware that some hosts will not allow this) 
  • Make sure your shell/FTP/SFTP users do not have access to each others’ files (check with your host to ensure this is the case)

Again, to properly compartmentalize your sites, make sure you do all of the above. If you’ve got sites that “live together” in your hosting account and are not compartmentalized, they will all need to be cleaned in the event that one of them gets hacked.

Strategy #2: Use a manager to collectively administer your WordPress sites

If you are responsible for more than one WordPress site, you can greatly simplify your administrative workload by using a site manager to keep an eye on all of your sites at once.

Perhaps the biggest benefit of a site manager is that it will allow you to install updates in tandem without having to log in to each and every site you’re responsible for separately.

For example, suppose the WordPress development team releases a new version of Akismet, the spam catching plugin that ships with WordPress, as they did a few weeks ago. With a site manager, you can install that update across all the sites you have with just a couple of clicks, saving a lot of time and ensuring that no site gets left behind.

Connecting your sites to a site manager is as simple as installing a plugin and completing the pairing process by providing the site URL and a key to the manager.

When it comes to site managers, you’ve got choices. Two of the most popular managers currently available are InfiniteWP and MainWP. Both of these managers integrate with security plugins. And both can be installed in your existing hosting account at no cost to you. (Like your client sites, run your manager under a separate shell/FTP/SFTP user as described above.)

Do note, though, that many advanced capabilities you may want, like scheduled backups or security plugin integration, will require the purchase of an add-on.

Since your manager will be connected to all of your sites, you’ll want to log in often to ensure the manager itself is up to date, and protect it with a strong password. It’s also best to run all of your sites — your manager included — over HTTPS only.

Strategy #3: Convert dormant WordPress sites to static sites

If you’ve got a WordPress site in your hosting account that is no longer being updated with new content, but that you don’t want to take offline, consider giving it a proper retirement by converting it to a static site.

It’ll load faster, and there will be one fewer application in your web hosting account that you need to worry about updating and securing. This is a great alternative to deleting a site altogether and having the content disappear from the Web.

To convert your site, you can use the Simply Static plugin. It will generate a snapshot of everything you’ve got — posts, pages, images, scripts, and all — preserving your permalink structure in the process. Pretty cool!

Once your archive has been successfully created by Simply Static, move it out of your web root. Then, take the WordPress site offline by making a backup of the site and deleting the filesystem.

Keep in mind that depending on the size of your website, the archive could take a while to build, and be quite large.

Unpack the archive file you created in place of the filesystem you deleted, and verify that your posts and pages are still accessible at the URLs they had when the site was a WordPress site.

Note that when you retire a WordPress site by converting it using the process described above, comment threads, forms, and other interactive functionality will no longer work. You may wish to edit your now-static contact page and other pages where forms were present to remove them and make it clear to site visitors that they are viewing an archived site which isn’t accepting new form submissions. You can always put in a link to a currently-maintained site where they can reach out to you.

United States federal government bans use of Kaspersky software: What should firms and households do?

A leading maker of antivirus and internet security software has been blacklisted by the United States federal government over fears that it has ties to Vladimir Putin’s regime in Russia. Here’s the first two paragraphs of The Washington Post’s story about the decision:

The U.S. government on Wednesday banned the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities, according to U.S. officials.

Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal civilian government networks, giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.

And here is a copy of the statement issued by the Department of Homeland Security regarding DHS Binding Operational Directive 17-01.

Kaspersky Lab (which has an American division headquartered in Woburn, Massachusetts) responded with this strongly-worded statement:

Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded.

No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.

In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development.

Regarding the Russian polices and laws being misinterpreted, the laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services.

Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.

Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.

Kaspersky’s software has repeatedly come out ahead of the competition in tests performed by independent labs, which is a key reason why many cybersecurity professionals like it and recommend it.

But now the company is being blacklisted by the federal government and agencies are under orders to remove and uninstall any Kaspersky products they may have purchased licenses for. Best Buy has already severed ties. What about households and firms that use Kaspersky: what should they do?

My advice is, don’t panic. There is no need to purge Kaspersky from your systems if you use it. No evidence has been presented that Kaspersky’s software is malicious.

And it sounds like the government just doesn’t have any.

Rob Joyce, the White House cyber security coordinator, said Wednesday at the Billington CyberSecurity Summit that the Trump administration made a “risk-based decision” to order Kaspersky Lab’s products removed from federal agencies.

Asked by Reuters whether there was a smoking gun showing Kaspersky Lab had provided intelligence to the Russian government, Joyce replied: ”As we evaluated the technology, we decided it was a risk we couldn’t accept.”

Emphasis is mine.

Despite the issuance of this order, the Department of Homeland Security has said there will be “an opportunity for Kaspersky to submit a written response addressing the Department’s concerns or to mitigate those concerns”.

“The Department wants to ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant,” says the statement accompanying the order.

In a recent New York Times op-ed, Senator Jeanne Shaheen of New Hampshire advocated for today’s action by referencing briefings from the intelligence community.

At a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the F.B.I., C.I.A. and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs’ response. But it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials.

When someone says they’ve got evidence to back up a course of action they want to take, but won’t show it to you, then you’re left with just their word.

That’s not good enough.

Shaheen goes on to say:

Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.

She then goes on to talk about how the company’s founder Eugene Kaspersky graduated from an elite cryptology institute (something that is public knowledge and which I’ve known since before I started using the company’s products), and news reports that discuss the possibility and probability that Kaspersky has been collaborating with Russian intelligence, such as this one from Bloomberg.

But even that Bloomberg article noted, “The U.S. government hasn’t identified any evidence connecting Kaspersky Lab to Russia’s spy agencies.”

(Kaspersky has responded both to Shaheen’s op-ed and also to the Bloomberg story).

Writing for Wired, in a piece published on Labor Day (Why the U.S. Government Shouldn’t Ban Kaspersky Security Software), Philip Chertoff noted that most of Kaspersky’s rivals in the cybersecurity industry are also foreign companies that may have ties to the intelligence agencies of their own home countries.

It is not unreasonable to think that Kaspersky Lab may have ties with Russian intelligence. The company employs former intelligence officers, and Russia’s relationship-based business climate means that it’s unlikely Kaspersky Lab could have succeeded without relationships with senior government officials.

However, it’s a charge that could be levied at many technology companies, especially cybersecurity firms. As the digital economy has grown, international intelligence agencies and technology firms have formed a sort of intelligence-industrial complex. After exiting US intelligence services, many former officers and cryptographers transition to jobs with big tech firms, hired for those skills they learned in the service or specifically for their strong personal relationships with government officials.

For instance, Bitdefender — which is currently trying to poach Kaspersky’s business with ads like these — is based in Romania. (Bitdefender is the other company that routinely gets the highest marks in independent third party testing of antivirus and security software).

If we can’t trust Kaspersky because they’re foreign, then arguably the same logic applies across the industry.

Kaspersky is a multinational company that has servers all over the world, in many countries, including the United States as well as Russia. Again, that’s no different than other cybersecurity companies.

It must be noted that there are a lot of American firms handing over precious trade secrets so they can do business in China, or complying with Chinese laws so they can gain access to the market there.

The New York Times recently published a story about this. Shouldn’t that behavior be equally concerning to us?

It is to me, at least. And these are American firms.

Senator Shaheen claims to have seen information which is prompting her to call for a ban of Kaspersky software — but says she can’t share this information. That’s of no help, then, because it means those of us who understand these issues can’t weigh the evidence for ourselves to reach our own conclusions.

The U.S. intelligence community is very secretive and agencies like the NSA have a history of having violated federal law and the Fourth Amendment to the United States Constitution to spy on Americans.

The NSA has also reportedly spied on companies like Bitdefender and Kaspersky (surprise, surprise).

We have a growing body of evidence that Vladimir Putin and the Russian Federation interfered in last year’s elections here in the United States. We are all right to be concerned about that. We do not have evidence that Kaspersky’s software is a danger to our national security.

The Internet may have begun as a U.S. defense research project, but it’s a global medium now. Combating bad actors requires global cooperation, because the bad guys can operate from anywhere with an Internet connection, as Eugene Kaspersky notes in a piece today at Forbes:

When did it become OK to declare a company is guilty without one shred of public evidence? In addition, while the U.S. has talented cybersecurity experts, smart people, who are dedicated to fighting cybercriminals, are born and educated all around the world. If the most sophisticated cyber threats are coming from countries outside of the U.S., don’t you think using cyberthreat data and technologies from experts located in those countries might be the most effective at protecting your valuable data, especially given that they are fighting against those local threat actors every day?

It is time to separate geopolitics from cybersecurity. We need to work together globally. Kaspersky Lab has good relationships and regularly helps law enforcement agencies all over the world fight cybercrime, and we hope the U.S. will also consider learning more about us, and who we truly are, versus the rhetoric and false assumptions. We’re ready to demonstrate that we have nothing to hide, and that we only want to help defeat cybercriminals and prevent cyberattacks.

With that said, I previously offered to meet with Senators, Representatives, Committees, and federal agencies, publicly or privately, to answer any questions regarding my company or me. The offer still stands.

If those of us using Kaspersky were to ditch it, and wanted to replace it with something comparable, we’d probably go with Bitdefender, which (as mentioned) is the other company that scores the best in independent testing for antivirus effectiveness. Again, as mentioned, Bitdefender is Romanian. So we’d still be in a relationship with a foreign company and our computers would still potentially be transmitting data to servers outside of the United States, including servers based in eastern Europe.

One final point: Kaspersky’s software may be proprietary (closed source), but so are the operating systems distributed by Microsoft and Apple — which most people use for their desktop computing. Microsoft happens to be one of Kaspersky’s partners; they make use of the Kaspersky Antivirus SDK.

Seattle-based Amazon is also a Kaspersky partner.

When any of us uses proprietary software, we’re making a decision to trust the company we’re getting it from, because the source code cannot be audited by anybody in the same way that free software can be.

At this juncture, I have no reason to believe Kaspersky’s software is risky, malicious, or a threat to national security. I will therefore continue to use it to protect the proprietary systems that I run.

I actually prefer to do the majority of my computing with free software, notably the GNU toolchain, Linux kernel, KDE applications, and WordPress, all of which are distributed under licenses that allow anyone to see the source code, distribute it, and modify it.

Part of staying secure involves recognizing and rejecting bad advice

A couple of days ago, I came across a blog post by former Mozilla developer Robert O’Callahan that harshly criticized makers of antivirus software. “[I]t’s safe for me to say: antivirus software vendors are terrible; don’t buy antivirus software, and uininstall [sic] it if you already have it (except, on Windows, for Microsoft’s),” O’Callahan declared in his opening paragraph, going on to contend that many Internet security and antivirus suites don’t add value, are not themselves kept updated, and prevent the browsers and operating systems they’re supposed to protect from running smoothly.

By the time I got to the end of O’Callahan’s first paragraph, I was appalled. Urging people to avoid using or installing Internet security and antivirus solution is terrible advice. Left undefended, a typical Windows or Mac installation is susceptible to all kinds of threats, including viruses and ransomware. I make a point of telling my clients that having a best-in-class Internet security suite installed is one of the most important ways they can mitigate their risk.

Notice I said “best-in-class”. Contrary to what O’Callahan says in his post, not all antivirus and security products are created equal. Much of what’s available for sale or download would not earn my recommendation.

I advise clients that it’s not enough to just have any old Internet security product installed; it should be an application that independent testing has shown can actually offer a user valuable protection.

The two firms whose software has generally performed best in the the independent tests I’ve seen are Kaspersky and Bitdefender. I prefer Kaspersky’s Internet Security suite, and am a paying subscriber.

Kaspersky nowadays sells multi-computer subscriptions as part of a package deal for a reasonable price, which means you can get all your family’s computers protected by buying just one plan. Their suite includes a robust firewall and antivirus engine, plus some other extremely useful tools, including Safe Money, which can stop you from falling victim to phishing attacks.

The latest version of Kaspersky Internet Security for Windows has a killer feature that I absolutely love: it scans my Windows operating systems for outdated plugins and third-party applications and offers to update any it finds without my having to do anything.

I keep a lot of what I have installed updated with Ninite, but Ninite won’t update *all* the non-Microsoft software on my computer. Kaspersky is now flagging updates I can’t install through Ninite and allowing me to install them with a couple mouse clicks. I love that.

Kaspersky Internet Security is well-behaved and generally does not get in the way of my other applications. I do not use the Kaspersky add-on for Firefox because I already have NoScript, CookieSafe, RequestPolicy, Privacy Badger, uBlock Origin, HTTPS Everywhere installed. These add-ons collectively serve as my browser armor and help protect me as I surf on a daily basis. But I consider Kaspersky Internet Security essential, too.

In my own testing, the scanner and antivirus engine have done very well. If I mount a volume with malware specimens on a virtual machine Kaspersky is installed on, it will quickly notice the specimens and warn me that it’s found malicious objects that should be quarantined or deleted.

Kaspersky’s Alexey Malanov saw O’Callahan’s post too, and took issue with it here. His criticisms of O’Callahan’s criticisms are spot on, and worth reading.

“In 2016, Kaspersky Lab solutions repelled 758,044,650 attacks launched from online resources located all over the world,” Malanov notes. “Web antivirus components recognized 261,774,932 unique URLs as malicious and detected 69,277,289 unique malicious objects (scripts, exploits, executables, etc.). Encryptors targeted 1,445,434 computers of unique users. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 2,871,965 devices.”

O’Callahan’s post includes a number of sweeping generalizations that are not backed up with any evidence, like this one:

AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security.

Towards the end of his rant, O’Callahan does link to a 2012 post by Nicholas Nethercote criticizing McAfee (now owned by Intel) for getting in the way of Firefox. But he never calls out McAfee specifically in his own post.

I am not a McAfee fan either, and would not suggest anyone use their products. Fortunately, there are superior offerings available from firms like Kaspersky and Bitdefender that have earned “Outstanding” ratings in independent tests due to their effectiveness in thwarting threats.

If you’re not happy with your current Internet security suite, you should look into getting a better one as opposed to going unprotected, as O’Callahan unwisely recommends. Merely installing updates from Microsoft and Apple as soon as they’re available won’t protect you from ransomware, viruses, or phishing attacks. But a best-in-class Internet security suite can. Be sure that you have one installed on your computers and those of your loved ones.

One-on-one with Frank Abagnale, Jr. on identity theft, combating fraud, and staying safe online

Yesterday, I joined several hundred seniors at Microsoft for a captivating presentation by legendary security consultant Frank Abagnale, Jr., whose story was the basis for the hit movie Catch Me If You Can starring Leonardo DiCaprio. After the presentation, Frank generously made time to sit down with me for a one-on-one conversation about identity theft, combating fraud, and staying safe online. The following is a transcript of our conversation.

ANDREW VILLENEUVE: I really enjoyed your presentation.

FRANK ABAGNALE, JR.: Thanks.

ANDREW VILLENEUVE: Can you talk a little bit about medical identity theft? What are some of the trends we’re seeing that are really disruptive and harmful?

FRANK ABAGNALE, JR.: Medical identity theft is kind of a new trend we’re seeing, where people would actually go into a clinic or a hospital because they need medical treatment, but they have no insurance. So in doing so (filling out the application), they list my name, my Social Security number, my date of birth, my personal information, and basically end up having the service done, but my insurance company being billed (or me directly being billed) and I end up getting a bill saying that I had this treatment at this clinic.

What’s not easy to do is when you call and say That wasn’t me! I wasn’t in that clinic! You really almost have to prove that it wasn’t you.

We are protected under the Fair Credit Reporting Act for other types of identity, like your credit card and things like that. That does not cover medical identity theft, so some of these collection agencies do go after individuals, even though it wasn’t them that made that charge.

So we’re starting to see that trend now of people getting medical services using somebody else’s identity.

ANDREW VILLENEUVE: Is this an area where the law simply hasn’t caught up yet?

FRANK ABAGNALE, JR.: They’re going to have to change the laws to take away the liability from the consumer, so the consumer’s not held liable for treatment that you got using my name. Right now, that doesn’t exist. So, I can’t even see my medical records because now you’re on my medical records, and the HIPAA laws don’t allow me to see them, because then I’d see your medical records and treatment. So that’s kind of ridiculous. So I think they’re going to have to change some federal laws to address this issue of medical identity theft, which will become more and more of a problem.

ANDREW VILLENEUVE: Now, you work with the FBI, and have for a long time. And a lot of laws that need updating are federal laws. But of course, we have the fifty states, and they’re often called the laboratory of democracy. Do you have any specific advice for state-level policymakers? What are things that they can do to protect citizens against these cybercrimes and identity theft problems?

FRANK ABAGNALE, JR.: You know, I’ve worked with the FBI for four decades — for forty years — and I get to go out and speak. I spoke at the state attorneys general conference, both their summer workshops and their winter workshops. I had all fifty state attorneys general in front of me. I work directly with the U.S. Attorneys. I teach at the Academy, where we teach U.S. Attorneys. What I try to do is to correct things that are very obvious. Like taking Social Security numbers off of 1040s. Making a Selective Service card be put in an envelope, so people can’t read what you put on there — your Social Security number, your date of birth. Removing the Social Security number from a Medicare card. Changing it off the military ID card.

I’m a strong believer that the government needs to lead. Whether it’s federal, state, county, or city. The government should be saying, this is the proper way you handle this, and this is the proper way you implement this. Instead, the government is way behind. It’s American corporations and businesses who say, Well, this is a problem. We need to come up with a solution and fix it. It’s ridiculous that the government should be behind.

And the government fails to do a lot of things. It ends up it’s the taxpayer who loses, whether it be their identity, or they’re actually losing the taxpayers’ money through fraudulent activity that doesn’t really need to occur.

ANDREW VILLENEUVE: Here in Washington — and also in Oregon, which is our neighbor — we do a lot of vote-by-mail. In fact, we’re almost exclusively vote by mail, and when people take their ballots to the post office, they’re supposed to sign the outside envelope. Their name is already on there, because it’s been printed; there’s a barcode, there’s their address. They’re supposed to sign to show that it’s them, and that signature has to match what’s on file with the elections officials. And that’s just going into the mailstream with their signature and their name on the outside of an envelope. Is that an insecure practice?

FRANK ABAGNALE, JR.: Yes. And see, that’s ridiculous. But even better than that is: I’m on Medicare, because I’m sixty-seven years old, but I don’t collect Social Security. So for that reason, they can’t take my Medicare payment — which is about four hundred dollars a month — out of my Social Security check. So they have to send me a bill every month.

And I have to pay it. When they send me the bill, CMS — Medicare — tells me, Put your Social Security number on the check stub under Memo.

I said, You’re out of your mind. Now, you’re asking me to write a check, and have all that information that’s on the check, and then give you my Social Security number on top of that, and put it on there? So if someone sees it, they don’t have to do anything. They just have to see it, and they have all the information about me.

So those are the kind of things that I mean are more common sense things that you could go in and easily fix, and they’re not doing. And even when you bring it to their attention, and say this is absurd, because this is what somebody could do with that, they don’t go in and fix it.

So it’s just ridiculous.

And I have to tell you — and I will email you this piece because it’s hard to believe — but a couple years ago, a woman in the State of [Oregon] applied for a state income tax [refund] and claimed that she earned $3.5 million, and that the state owed her $2.1 million. And the state actually sent her a refund on a card — on a debit card — for $2.1 million. The woman was using the card for several months, but she lost the card.

So then she called the state tax revenue office in [Oregon] and said, I lost my card, I need a new card. And when they [finally] did [look], auditors saw it and said, Whoa, how could this be this big a refund? And that’s how they caught her. And I had that case. Just absurd.

And those are the kind of things that go on all the day.

We arrested a doctor in Michigan who was a cancer doctor. He treated four hundred and thirty-eight patients who came to see him. Every patient, he told them they had cancer. They didn’t have cancer. He treated them with chemo and billed Medicare thirty-three million dollars. We finally caught him; a judge gave him forty-five years, just two months ago, in prison. These are the kind of things that go on all the time. Millions and billions of dollars. But again, there should be a mechanism in place to catch these things.

So when we talk about food stamps, which is done on a card, we look at a delicatessen in Brooklyn that two years ago, is taking two hundred thousand dollars in food stamps. Now it’s taking two million.

So then, when you go down there, it’s a twelve hundred square foot store. So what they’re doing is when you come in with your card, they say, How much you have on that card? Two hundred dollars? I’ll give you a hundred dollars cash for the card, and then I’ll let you buy the other hundred in whiskey and wine — which they’re not allowed to use — on the other part of the card.

These people are driving Rolls-Royces when we go arrest them. They’re driving Ferraris. They have two condominiums. But you wanted to say to the people administering the program, Didn’t it look a little suspicious that the guy went from $200,000 to two million? What is it? He’s got people lined around his building waiting to come in with their card?

I mean, it’s such obvious stuff that it’s absurd that it goes on.

So, how can you blame the criminal for taking advantage of it? And he realizes the government has all the money and the government’s easiest person to rob, whether it be state or federal, because they’re doing the least things to prevent it.

ANDREW VILLENEUVE: So, in other words, people go after the government, ’cause that’s where the money is.

FRANK ABAGNALE, JR.: The easy target. You know, the old Willie Sutton: Why do you rob banks? Because that’s where the money is. Why do you rob the government? Because that’s where the money is.

Plus, it’s easier than to try to rob a bank.

ANDREW VILLENEUVE: So, is the problem with people missing these obvious red flags that there isn’t enough accountability, or is it just that because public servants who work on the taxpayer’s dime are basically doing their jobs, but they’re they’re not costing a company money. It’s not that there’s profits at risk, but it’s the entire public at risk. Is that sort of like a socialization of risk that’s happening? Is that the problem?

FRANK ABAGNALE, JR.: Yeah, and you know, I hate to have to say that, because of my association to the government, but that’s how it is.

One, it’s not their money. Two, nobody wants to take responsibility. No one really wants to do a whole lot about it, you know, whereas in a private company, you have people to answer to. There’s stockholders, or shareholders; there’s people that expect a profit.

In the government, there’s really nobody answering to anybody, so nobody’s really doing anything about it. And then, we impose some things, too, that make it difficult. In defense of the IRS, for example… they process a hundred and fifty-three million returns during the month of April.

Now, years ago, when you filed a paper return, and you said to the government, You owe me $2,100 back as a refund, they had eight weeks, ten weeks, to get you that refund. So during that time, they checked your W-2, they checked it across the state’s wage-earning files and so on, and they investigated your return. Now, the government says, you’re paying electronically, and you file electronically, [so] they tell the IRS, you need to pay these people within fifteen days.

Well, the IRS [worker] says, I can’t… I can’t look at, I can’t check all these things in fifteen days. I have millions and millions of returns.

So, again, Congress is mandating something they can’t physically do, and in the end, the criminal’s taking advantage of Congress doing that. Where, if you ask most Americans, Would you mind waiting a few more weeks for your return if you knew it was going to save the taxpayers billions of dollars from criminals getting the taxpayers’ money? They’d say, yes, but they don’t.

ANDREW VILLENEUVE: And that’s the kind and sort of question that has like a no-brainer answer, right?

FRANK ABAGNALE, JR.: Right. Exactly.

ANDREW VILLENEUVE: So, you know, you ask those questions, people will say yes, I’d like to be more secure. In fact, people are always talking about the liberty and privacy versus security trade-off. And people say they value security, but it seems like we’re less secure with everything moving online, but we don’t have a long-term plan for securing that data that we’re moving online.

FRANK ABAGNALE, JR.: No, and we, as ourselves, give away so much information, you know. We get on and tell our mother’s maiden names, our pet’s names, where we went on vacation, where we’re going on vacation. You know, what kind of car we drive, what places we like to go eat. And there are people who take that information, because they can build profiles. There’s so much they can do with it.

But the thing is, you can’t con a con man, and that’s because the con man is already thinking with a deceptive mind, and he already sees your scam coming at ’em. Most Americans are honest, and because they’re honest, they don’t have a deceptive mind. They’re not sitting there thinking about, well, what would someone do with that piece of information? What could they do with that? That’s why it’s so important to educate people, to give them the proper tools.

So, when I go out and speak at a lot of universities, I’m really surprised by the kids’ questions, because it’s more about their personal security than it is about How’d you like Leonardo DiCaprio playing you in the movie? It’s more about, how do I use Facebook safely? What is it okay to do online, and not okay to do? And so, you know, they’re concerned. But they want to know how: Where’s the information?

ANDREW VILLENEUVE: One of the things that has really bothered me over the years is I’ll get some sort of form or application that’ll ask me for my Social Security number. I’ve never felt comfortable giving that out. I don’t like giving it out, but they say they have to have it… and a lot of these companies collecting this information say they really need it. Is there any way for consumers and customers to stand up and say, no we don’t want to give you a Social Security number?

FRANK ABAGNALE, JR.: No, they don’t need it, because federal law says… on your hand, you can count how many times you’re required to provide your Social Security number by law. And that, you know, [includes] things [like] when you apply for credit, when you apply [for a job], your employer has the right to have your Social Security number for collecting taxes. The IRS… law enforcement can ask you for your Social Security number.

But when you go to the doctor’s office, the doctor really doesn’t need to have your Social Security number. The problem is, if you say to the doctor, I’m not giving it to you; I’m not giving you my Social Security number, the doctor’s going to go through your insurance company and ultimately get it from your insurance company, who does have your Social Security number.

So they find a way to get it anyway. But most of the time, you shouldn’t be offering to give it to people, and if somebody gets it, and you see really no reason for them to have it, then you should just tell them no. And a lot of times if you just stand firm, so no I’m not giving it to you, they’ll go around and do whatever they’re supposed to do anyway.

ANDREW VILLENEUVE: Right. If you’re filling out one of those forms that, let’s say, an independent contractor and so forth fills out… would you recommend that people get an EIN that’s separate from their SSN?

FRANK ABAGNALE, JR.: Yes, absolutely. I always use a federal tax ID number, even when I was just me, and I was self-employed. I wasn’t going to go around giving everybody my Social Security number. So I have to have that if I’m going to pay you and send you a 1099 [and the other party says] I need your Social Security number. I just gave him a federal tax ID number, and that’s what you should do. If I was that independent contractor, that plumber, that business, I would never be giving them a DBA [doing business as]. I would never be giving them my Social Security number. I would just be giving a federal tax ID number.

ANDREW VILLENEUVE: And people can easily get those.

FRANK ABAGNALE, JR.: Yeah, it’s not difficult. You just apply for it, and they give you a number, and that’s the end of it. Yeah, it’s not difficult to do.

ANDREW VILLENEUVE: President Obama recently announced he was creating a U.S. Digital service to try to get some of the really talented folks who have maybe been working in the private sector to lend their energy, their talents, and their expertise of the public sector. Is that something we need to do to better combat identity theft and improve cybersecurity?

FRANK ABAGNALE, JR.: Yeah, because I don’t think we have the people, the manpower, or the brain power in Washington, D.C. to do that. I think this is where you need to go out and get outside help, because a lot of those people don’t have the knowledge or the experience or the background or the training to deal with a lot of those problems. So I don’t think there’s anything wrong with the government going outside the government and getting the people that know how to fix these problems and get them to come in… and at least ask advice on how to go about fixing these problems.

The only thing I would say: If these people come in, and they give you good advice, and you know it’s good advice, then implement it! Don’t just listen to them and then walk away and [go back to] business as usual. Otherwise, you’re wasting more money.

ANDREW VILLENEUVE: One last question. A lot of people I know are people who make lots of active use of social media. They’re on social media all the time: Twitter, Facebook. What are two or three common best practices you recommend to strengthen people’s social identity?

FRANK ABAGNALE, JR.: It’s real simple. One: Don’t put a straightforward photograph of yourself on Facebook. [Two]: Don’t state where you were born on Facebook, or your date of birth. [Three]: Don’t make statements that you don’t want someone to read that you said.

So, if you’re an eighteen-year-old and you make racial slurs, someone’s going to read those racial slurs five years from now when they go to give you a job, and that could hinder you getting that job. Or putting a picture of you that was a picture of you nude on a beach with a bunch of drug paraphernalia all over your body, knowing that some employer down the road may look at that, and that’s going to be held against you.

So just be [aware]. Realize that everything you write, someone’s going to read besides the people you want to read it, and that it’s all retrievable. So you’ve just got to be careful, again, not to be giving away things. Stop and think: Do I really want to put that out on social media where someone may see that, later on, down the road, four or five years from now.

ANDREW VILLENEUVE: Right. So you have to think long-term.

FRANK ABAGNALE, JR.: Long term. Absolutely.

ANDREW VILLENEUVE: Thank you very much.

FRANK ABAGNALE, JR.: Thank you, Andrew. It was a pleasure.

How *not* to patch a security vulnerability

If you’re a vendor… don’t do what Fiat Chrysler did:

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

It’s hard to believe a company as Fiat Chrysler could be this boneheaded about security. But somehow, this ridiculous plan to send USB sticks out to Jeep Cherokee owners got greenlit. Some 1.4 million Jeeps are said to be affected by the aforementioned vulnerability, which is a lot of vehicles.

Fiat is making a bad problem much worse, as Pete Bassill explains:

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

Fiat did issue a voluntary recall, allowing owners to bring affected vehicles into dealerships to get their firmware upgraded. They should have left it at that — if pushing out updates over the air wasn’t possible. Perhaps Fiat went with USB sticks thinking it would be an inexpensive way to help their customers update their vehicles’ firmware. But in the long term, I imagine it’s going to be more expensive, because of the can of worms they’ve opened for themselves.

Ad-blocking is good from both a security and privacy standpoint

Every now and I then, I come across a story which reaffirms my long-held belief that ad-blocking is good from both a security and privacy standpoint. That happened again recently when I saw this article in The Register:

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.

Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.

As the article goes on to explain, malvertising has simply exploded in recent years, and is now an extremely serious problem. But unfortunately, big players in the web advertising business aren’t doing enough to combat it:

The industry’s top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to no attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.

The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.

What can users do to protect themselves from malvertising? The answer is simple: Block ads and block JavaScript from executing by default.

There are ad-blockers available for all major browsers, notably AdBlock Plus, which has extensions for Internet Explorer, Firefox, Safari, and Chrome/Chromium. All the major browsers also contain controls that are capable of turning off JavaScript execution, but since most of us want sites to trust to be able to run scripts (for example, I want to allow JavaScript to execute my own domain and my credit union’s domain), it’s better to install a tool like NoScript, which allows JavaScript to be selectively turned on for trusted sites. (NoScript has 2 million users and maintains an average review of five stars. It’s well-deserved).

Using these and other tools (like HTTPS Everywhere, RequestPolicy, Better Privacy, and Cookie Controller) can greatly improve our security and privacy as users. The tools I’ve mentioned essentially act as browser armor, and can safeguard against all sorts of threats on the Web, not just malvertising. We all stumble into bad neighborhoods on the Internet from time to time, often by accident. Having browser armor in place greatly minimizes the risk of harm to our computers. Prevention, as they say, is the best cure of all.

I’ve heard some people make the argument that ad-blocking is unethical. I disagree. I believe that as users, we all have the right to decide what content we want to come into our homes and workplaces through our personal computers, tablets, and smartphones. That means having the freedom to block JavaScript, cookies, cross-site requests, ads, images, or anything else. We all ought to be able to control our own computing and decide how the Internet connectivity we pay for gets used.

This is especially important in the context of mobile Internet access, because most of us are on plans with fixed data allotments.

I understand the economics of publishing and content creation, and I agree we need to support artists and writers. The best way to do that, though, is to purchase a subscription to a favorite publication, or put money in a site’s tip jar.