How many people do you know who use the same password for everything and it isn’t even something hard to guess, like a birthday, anniversary, address or just “password” or “123456”? There are a lot and even with today’s excellent password managers, users have to be proactive to be sure they have rock solid passwords, change them regularly and protect them by not using them more than once.

Standards. A group of technology giants, including Apple, Google and Microsoft, have banded together to form the FIDO Alliance. This is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. FIDO promotes the development of, use of, and compliance with standards for authentication and device attestation. 

Apple is the first of the major players in FIDO to bring out their standards compliant solution to removing passwords from online security. The new technology is called Passkeys and will debut this fall on all of Apple’s operating systems: macOS Ventura, iOS 16, iPadOS 16, and Apple TV.

How do Passkeys Work? Passkeys are unique digital keys that are easy to use, more secure, never stored on a web server, and stay on your device. Hackers can’t steal Passkeys in a data breach or trick users into sharing them. Passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.

When you create an online account on a website, you will use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” said Darin Adler, Apple’s P of internet technologies.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a pass phrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (Using iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (Within) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A password-less system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)
​
When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms Apple is the first company to roll out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

It’s summertime and we’re out at the beach, by the pool or at the amusement park. We bring our smartphones, tablets, e-readers, and even laptops with us and, unfortunately, some of us will experience that terrifying moment when our piece of electronics ends up underwater. It could even be as simple as a drink overturning onto your keyboard for your laptop. 

You need to know what to do and NOT to do and react quickly to save your device.

Be Prepared. You should have at home an electronics first-aid kit. You can get all the items from Amazon and you’ll be ready. Get a tub of silica gel (DampRid). 

You should also have one or two rescue packs (Kensington 39723 EVAP Wet Electronics Rescue Pouch) that you can pack with your other stuff to take with you when you’re out and about. This will work well for a smartphone or an iPod.

There’s a chance (about 70%) that you’ll be able to dry the device completely and put it back to work. In most cases, it won’t be quick, and you’ll have to make a bit of a mess. But you could save yourself a trip to the electronics store for a replacement.

Steps:

1. Get it out of the water as soon as possible — An unprotected device has less than 30 seconds before water leaks into the hardware.

2. Turn it off completely — If the device is still on when you fish it out of the water, turn it completely off. Even if the device is still functioning, turning it completely off may prevent any circuits from shorting out. This is NOT simply putting the device to sleep or turning off the display. Shut the device completely down.

3. Remove the battery, if possible — As the power source, this is more likely to be damaged by water than the actual device, especially if the item was on when contact was made with the water. If the device is a smartphone, skip this step. Opening the device will void the warranty and you probably don’t have the right tools to open it, anyway.

4. Remove the memory and SIM cards if possible — Because in many cases your data is stored on these instead of the actual computer or phone, you’ll probably want to protect them as much as possible. Fortunately, they’re fairly durable, so you’ll be able to dry them initially with a cloth towel, then let them air dry for a day before reinserting.

5. Remove any cables or peripherals and set them aside to air-dry — This is especially true for smaller devices, as there’s not a lot you can do beyond this. Headphones, in particular, are tiny, but extremely water resistant, even capable of surviving multiple trips through a washing machine and dryer.

6. Remove any covers and external connectors — This will open up as many gaps, slots and crevices as possible for drying, and help ensure that no moisture is trapped inside the device.

7. Get rid of all the water — This is where things get difficult. You may need to wipe it with a cloth or gently shake the water out. The following are other ways to remove water and completely dry your device.

Can of compressed air – You’ll need to be careful here, as compressed air likes to blow VERY cold and can momentarily freeze the surface of items it’s sprayed on. Any way you approach this, the device needs to be as water-free as you can get it before going to the next step.

Hair Dryer –   If you don’t have compressed air, a hair dryer can help speed up the drying process, but ONLY with cool air settings. Do not bombard your device with hot air. This can be better than the compressed air, as a constant stream of swift blowing room-temperature air can be directed at your device without the worry of quick-freezing parts of it.

Alcohol – Using a cotton swab, wipe small amounts of alcohol on the affected areas and then blow on them again to evaporate the alcohol. Use this sparingly, but because alcohol evaporates faster than water, mixing the two may help remove water from stubborn places.

Cover the device with a drying agent – Here’s where the silica gel pellets come in handy. Some people use white rice, but that can cause many more problems than it solves. Get an airtight container and completely cover your device in the drying agent. Leave the device in the container for AT LEAST 48 full hours. Your device may require more time in the drying agent, depending on how long and how completely submerged it was. In some cases, the device may need to sit for multiple days or up to a week – WITHOUT trying to see if it will turn on again.

Waterproof Your Technology. There’s a high-tech and a low-tech way to do this.

The high-tech way is to buy a waterproof case or bag designed for your device. Check the submersion factor, a gauge of how many feet underwater the case will stay waterproof for at least 10 minutes. 

The low-tech way is to use zippered plastic storage bags. This will work for smaller devices like music players, e-readers, and tablets. If you’re listening to music, keep the device in the plastic bag and use wireless ear buds.
​
Preparation is the best defense for summer water catastrophes. Set up your first-aid kit, get a couple of rescue pouches and BE CAREFUL when you get close to any water!

Most of us think of May 5th as “Cinco de Mayo” and look forward to an after-work margarita. But May 5th is also World Password Day and Apple, Google and Microsoft used this day to announce their support for the passwordless standard from the FIDO Alliance (fast identity online).

The three companies jointly announced that they have committed to building support for all the mobile, browser, and desktop platforms that they control in the coming twelve months. This means that passwordless authentication will come to iOS and Android mobile operating systems, Chrome, Edge and Safari browsers, and Windows and macOS desktop environments.

The FIDO Alliance announced that it won’t be long before users will be able to use a fingerprint reader, face scanner or even a mobile phone instead of passwords to conduct online business securely.

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”

At Microsoft, Alex Simons, corporate vice president for identity program management, said that tomorrow’s digital products need to be safer and easier to use. "The complete shift to a passwordless world will begin with consumers making it a natural part of their lives," he said in a statement.
​
FIDO said the three technology leaders will implement over the next year. We’ll likely hear many more details from all three, as each has their annual developer conferences this spring/summer. FIDO is already used by a wide variety of device makers and service providers. With Apple, Google and Microsoft supporting the interoperable standard, it will make a passwordless future much more attainable.

The BlackByte ransomware gang appears to have made a comeback after targeting at least three U.S. critical infrastructure sectors, according to an advisory from the FBI and the Secret Service.

BlackByte is a ransomware-as-a-service (RaaS) operation that leases out its ransomware infrastructure to others in return for a percentage of the ransom proceeds. The gang emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims worldwide. While BlackByte had some initial success—security researchers tracked attacks against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia—the gang hit a rough patch months later when cybersecurity firm Trustwave released a free decryption tool that allowed BlackByte victims to recover their files for free. The group’s simplistic encryption techniques led some to believe that the ransomware was the work of amateurs; the ransomware downloaded and executed the same key to encrypt files in AES, rather than unique keys for each session.

Despite this setback, it appears the BlackByte operation is back with a vengeance. In an alert posted in mid-February, the FBI and the Secret Service (USSS) warned that the ransomware gang had compromised multiple U.S. and foreign businesses, including “at least” three attacks against U.S. critical infrastructure, notably government facilities, financial services, the food industry, and agriculture.

The advisory, which provides indicators of compromise to help network defenders identify BlackByte intrusions, was released just days before the ransomware gang claimed to have encrypted the network belonging to the San Francisco 49ers. BlackByte disclosed the attack the day before the Super Bowl by leaking a few files it claims to have been stolen.

Brett Callow, a ransomware expert and threat analyst at Emsisoft, says that while BlackByte isn’t the most active RaaS operation, it’s been steadily racking up victims over the past few months. However, he adds that because of recent action by the U.S. government against ransomware actors, the gang might take a cautious approach.

“The FBI and Secret Service advisory states that BlackByte has been deployed in attacks on at least three U.S. critical infrastructure sectors, including government. Interestingly, no such organizations are listed on the gang’s leak site, which could indicate that those organizations paid, that no data was exfiltrated or that BlackByte chose not to release the exfiltrated data,” he said. “That final option is not unlikely: since the arrests of members of REvil, the gangs seem to have become more cautious about releasing data, and especially with U.S. organizations.”

Callow said that while all signs suggest BlackByte is based in Russia, since the ransomware, like REvil, is coded not to encrypt the data of systems that use Russian or Commonwealth of Independent States (CIS) languages. That “shouldn’t be taken to mean the attack was carried out by individuals based in Russia or the CIS.”
​
“Affiliates may not be located in the same county as the individuals who run the RaaS,” he added. “They could be based anywhere—including the U.S.”

1Password, a leader in enterprise password management, recently launched Secrets Automation, an easy-to-use way to secure, manage and orchestrate the rapidly expanding infrastructure secrets required in a modern enterprise. Secrets such as corporate credentials, API tokens, keys and certificates can number in the hundreds for midsize businesses and many thousands for enterprises. This scale and complexity lead to huge security risks. Besides the new product launch, 1Password also completed the acquisition of SecretHub, a secrets management company that protects nearly 5 million enterprise secrets a month. The SecretHub team and CEO Marc Mackenbach will join 1Password immediately, adding expertise and engineers to speed up the 1Password Secrets Automation roadmap. 1Password Secrets Automation launches with a host of partnerships and integrations that will make it easy for developers and DevOps teams to integrate with the mission-critical tools and libraries they already use.  

1Password is the first line of defense for over 80,000 businesses worldwide protecting their employees, customers and intellectual property by securing passwords, financial details and other sensitive information. Today's launch and SecretHub acquisition signal a major expansion of 1Password, helping enterprises secure their infrastructure and machine-to-machine secrets alongside their human passwords. 

"Companies need to protect their infrastructure secrets as much as their employees' passwords," said Jeff Shiner, CEO of 1Password. "With 1Password and Secrets Automation, there is a single source of truth to secure, manage, and orchestrate all of your business secrets. We are the first company to bring both human and machine secrets together in a significant and easy-to-use way." 

Secrets Security Not Keeping Pace. With the massive expansion of Software as a Service (SaaS) applications, infrastructure secrets are multiplying as never before, scattered across multiple services and cloud providers. Companies often try to protect these secrets through a combination of home-grown solutions and awkward hacks. Human error within IT and developer organizations happens all the time and is compounded by risky shortcuts taken in the name of speed and productivity. 

Leaked secrets can have widespread ramifications; when an engineer accidentally placed a secret key into source code at Uber, the names, driver's licenses, and other private information of 57 million users were stolen. A recent GitGuardian report detected over 2 million infrastructure secrets exposed on code sharing platforms, growing 20% over the previous year. This underscores the massive and growing issue of properly managing secrets and protecting sensitive customer data. 

1Password Secrets Automation was developed to address directly these challenges. Key features include:

• The security of 1Password--store credentials, tokens and other secrets fully encrypted, using the same security that made 1Password the No. 1 enterprise password manager. 
• A single source of truth for all your secrets--gain complete visibility and auditability in a way that you can't when secrets are spread across multiple services. 
• Granular access control--define which people and services have access and what level of access they are granted. 
• Ease of use--built on 1Password's intuitive user interface, Secrets Automation delivers administrative simplicity, providing for good secrets hygiene. 
• Integration with your existing tools--Secrets Automation integrates with HashiCorp Vault, Terraform, Kubernetes and Ansible, with more integrations on the way. You'll also find ready-to-use client libraries in Go, Node and Python.

1Password and GitHub are also announcing a partnership: "We're partnering with 1Password because their cross-platform solution will make life easier for developers and security teams alike," said Dana Lawson, VP of partner engineering and development at GitHub, the largest and most advanced development platform in the world. "With the upcoming GitHub and 1Password Secrets Automation integration, teams can automate fully all of their infrastructure secrets, with full peace of mind that they are safe and secure."

A Roadmap Driven by Customer Demand. Kira Systems, an AI-based contract review and analysis software company, was one of many customers that requested 1Password expand its offering to solve their secrets management problems. 
​
"We've been a 1Password customer for six years and have long wanted to centralize our secrets management," said Joey Coleman, Kira Fellow and director, systems with Kira Systems. "We store terabytes of sensitive data across many deployments, so it is critical for us to have a secure and efficient way of managing the credentials that give access to that data. Secrets Automation delivers an extra level of security while also removing the manual labor required to manage the volume of passwords and credentials."

AR has populated science fiction, specialized industries, and high-tech experiments for decades. But in the 2010s, major companies—and countless startups—began treating AR headsets as a potential mass-market platform.

Facebook founder Mark Zuckerberg predicted in 2017 that televisions and phones would be replaced by holographic glasses. Apple CEO Tim Cook called AR “a big idea, like the smartphone.” Microsoft envisioned people watching the Super Bowl in its HoloLens headset. Google launched its ambitious Glass platform as a potential successor to phones, then helped propel the AR startup Magic Leap toward billions of dollars in investments. More recently, telecoms have partnered with AR companies like the Chinese startup Nreal, hoping high-bandwidth holograms will create a demand for 5G networks.

These companies’ products—as well as those of other major players, including Snap, Vuzix, and Niantic—often look very different. But most of them promise a uniquely powerful combination of three features.

• Their hardware is wearable, hands-free, and potentially always on—you don’t have to grab a device and put it away when you’re done using it
• Their images and audio can blend with or compensate for normal sensory perception of the world, rather than being confined to a discrete, self-contained screen
• Their sensors and software can collect and analyze huge amounts of information about their surroundings—through geolocation and depth sensing, computer vision programs, or intimate biometric technology like eye-tracking cameras

Over the past decade, nobody has managed to merge these capabilities into a mainstream consumer device. Most glasses are bulky, and the images they produce are shaky, transparent, or cut off by a limited field of view. Nobody has developed a surefire way to interact with them either, despite experiments with voice controls, finger tracking, and handheld hardware.

Despite this, we’ve gotten hints of the medium’s power and challenges—and even skeptics of the tech should pay attention to them.

In 2016, for instance, millions of people fell in love with the phone-based AR game Pokémon Go. When players logged on to catch virtual monsters, many discovered parts of their neighborhoods they’d never thought to visit. But they also found a world built on data that placed more gyms and PokéStops in white and affluent neighborhoods. They forged in-person connections by sharing virtual experiences, but those connections could also allow for real-world harassment.

The effects went beyond people who played the game. The owners of some homes near Pokémon Go gyms experienced a sudden influx of trespassers, leading a few to sue its developer Niantic and secure tweaks to the game’s design. Public memorials like the US Holocaust Museum asked players to respect the space by not chasing virtual monsters into it. Even this early foray into augmented reality exported some of the internet’s biggest flaws—like its ability to collapse context and overwhelm individuals with its sheer scale—into physical space.

Writer and researcher Erica Neely says that laws and social norms aren’t prepared for how AR could affect physical space. “I think we’re kind of frantically running behind the technology,” she says. In 2019, Neely wrote about the issues that Pokémon Go had exposed around augmented locations. Those issues mostly haven’t been settled, she says. And dedicated AR hardware will only intensify them.
​
Smartphone cameras—along with digital touchup apps like FaceTune and sophisticated image searches like Snap Scan and Google Lens—have already complicated our relationships with the offline world. But AR glasses could add an ease and ubiquity that our phones can’t manage. “A phone-based app you have to actually go to,” says Neely. “You are making a conscious choice to engage with it.” Glasses remove even the light friction of unlocking your screen and deliberately looking through a camera lens.

Secretary of State Tony Blinken announced last week plans for the State Department to create a new bureau of cyberspace and digital policy.

Why it Matters. The establishment of the bureau and plans for a new envoy to oversee critical and emerging technology come after a series of significant hack attacks and other online crimes, notably ransomware assaults on U.S. infrastructure.

Details. Blinken said in a memo to staff that following congressional approval, the new envoy and the Bureau of Cyberspace and Digital Policy "provide us with greater leadership and accountability to drive the diplomatic agenda within the interagency and abroad," per AFP. 

• State Department spokesperson Ned Price said at a briefing later Monday that the new Senate-confirmed ambassador-at-large would "lead the immediate technology diplomacy agenda with our allies, partners, and across the range of multilateral fora."
• The envoy would focus on "three key areas: international cyberspace security, international digital policy and digital freedom."

The Big Picture: President Biden signed an executive order in May in response to the cyberattacks in the public and private sectors — from the hacking of the Colonial Pipeline to the SolarWinds and Microsoft Exchange attack.
​

• Some $590 million had been paid by victims of ransomware attacks in the first six months of this year amid a surge in cybercrime, according to a Treasury Department report released earlier this month.

Last year a hacker group used a bit of malicious code it hid in a software update by the company SolarWinds to launch an immense cyberattack against U.S. government agencies and corporations—see Issues 7-27, 7-36, and 7-38.

The group behind the attack, Nobelium, is reportedly being directed by the Russian intelligence service. And they're at it again.

According to Microsoft, one victim of the SolarWinds hack, the group is targeting technology companies that resell and provide cloud services for customers.

"Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain," Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, said in a blog post on the company's website.

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," he added.
​
The hacker group hasn't tried to ferret out vulnerabilities in software, Burt said, but has been using techniques like phishing and password spray to gain entry to the targeted networks.

Office 365 users are now in cybercriminals' crosshairs in a new phishing campaign, according to a warning the Microsoft Security Intelligence (MSI) team issued via Twitter. Malicious actors are using email addresses that appear to be legitimate, with display names that mimic bona fide services to dodge email filters.
Microsoft cautioned cybercriminals are going above and beyond to use detection-evasion techniques that are convincing and authentic-looking.

"An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to slip through email filters," MSI explained on Twitter.

The deceptive phishing campaign targets Office 365 organizations with employees who often send attachments to co-workers. MSI found phishing emails that seemed as if they were sent from a trusted source. Many of these emails contained faux Microsoft SharePoint attachments with labels such as "Price Books," "Bonuses" and "Staff Reports."

The phishing emails use a tactic called "typosquatting," which involves registering deliberately misspelled domains that, at first glance, look close to a well-known brand. Most quick readers would overlook the subtle typo.

If users fall for the bait and click on the "Open" link, it will lead them to a page that lures them to type in their Microsoft or Google credentials. According to MSI, these sign-on pages look very convincing, making users believe that they're on a trustworthy path to a legitimate website.

MSI kept emphasizing how authentic these phishing emails looked. Employers may not be able to rely on their employees' good judgment to identify suspicious-looking emails. That's why MSI shamelessly plugged its Microsoft Defender for Office 365 program as a solution, adding that this software "detects and blocks" these emails.
​
Phishing attacks are a huge thorn in the side for many popular companies like Netflix and PayPal, but the Redmond-based tech giant should be particularly concerned. According to a CheckPoint Research study, Microsoft topped the list as being the most imitated brand for phishing attacks.

Benefits. A well-known example of an emerging technology is artificial intelligence (AI). This technology has many facets, including machine learning, natural language processing and speech recognition. In September/October 2020, the Information Systems Audit and Control Association (ISACA) and Protiviti conducted a global survey of over 7,400 IT audit leaders and professionals to get their perspectives on the top technology risks their organizations will face in 2021. Nearly 50% of the over 4,500 global respondents to the ISACA survey showed they are already using AI technologies (22%) or are in the planning and pilot stages of adopting them (27%).

Companies that have adopted emerging technologies, such as AI, hope to benefit from the competitive advantages that these technologies can provide. For example, cost savings and heightened revenues are made possible through increased efficiency and enhanced customer products and experiences.

Companies can speed up the adoption of emerging technologies by investing broadly across the company and using technologies in a way where the responsibility resides with the process owner. This approach generates better cost savings as process owners can solve a business problem specific to them, resulting in operational efficiencies and an increase in quality analysis.

Internal audit can also embrace AI technologies to enhance risk monitoring and control effectiveness. In a use case-specific example, machine learning can analyze general ledger data and pinpoint incorrect or fraudulent journal entries among thousands of other transactions. Note that larger and more complex business problems—which may have a broader impact across multiple areas of the business or have aspects that present greater risk to the company—would require collaboration and consultation with data scientists, who could be internal personnel or consultants.

Risks. Companies adopting emerging technologies must not only consider the benefits but also the associated risks. To develop an understanding of individuals' perceptions, the ISACA survey asked respondents to indicate their views on the risks of adopting AI technologies. Most respondents rated the risks associated with AI to be low (30%) or medium (33%), whereas only 9% determined AI to be high risk. In practice, companies must consider the maturity and complexity of the business processes using AI to determine true risk to the company.

One risk is that these emerging technologies will not achieve companies' expectations. To combat this risk, a clear vision needs to be established and supported by defined objectives with realistic targets. Due diligence involves thorough research to identify requirements for new projects that have a significant impact on the company. IT governance should play a substantial role as emerging technologies are being integrated into the business, including representation across different IT groups—such as application development, security, and infrastructure—within the IT governance process. This will enable communication across various parts of the business and help identify additional needs while streamlining project implementation. Monitoring and regular status updates should be communicated to senior leadership throughout the project, as well as post-launch to help determine if ROI was achieved or miscalculated.

Risks can also emerge from changing regulations that may limit the success of an emerging technology. For example, privacy laws related to the collection of consumer data could impede a company's ability to use successfully certain emerging technologies by disrupting current products and services in production. New regulations are imminent, especially surrounding algorithmic bias for technologies that affect customers. Continuous monitoring of new regulations and nimble development processes are necessary to ensure models comply with changing and new regulations.

Finally, there is a risk that a misconfiguration of the technology could cause an algorithm error issue, which would affect data quality and create threats to data security. These risks can be mitigated by putting strong change management processes in place. These processes ensure test cases are effectively designed and performed, that version controls appropriately log changes to models and source code repositories, and that peer reviews are conducted for coding and model changes. During the planning and building phase, it is critical to be mindful of the data set to identify potential biases and ethical dilemmas.
​
Adopting emerging technologies can create competitive advantages, but these benefits are naturally accompanied with risk. Process owners can take a proactive approach to identify risks by engaging with internal audit or enterprise risk management. Starting discussions about risks and controls early in the technology's implementation will help identify any unaddressed issues and process improvements and ensure emerging technologies are successfully integrated into the business.