Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via Short Message Service (SMS) and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.

In a blog post last year, citing internal Microsoft statistics, Weinert said that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.

But in a follow-up blog post, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.

The Microsoft exec cites several known security issues, not with MFA, but with today's state of the telephone networks.

Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card – in attacks known as SIM swapping – allowing attackers to receive MFA one-time codes on behalf of their victims.

On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.

SMS and voice calls are the least secure MFA method today.

All of these make SMS and call-based MFA "the least secure of the MFA methods available today," according to Weinert.

The Microsoft exec believes that this gap between SMS & voice-based MFA "will only widen" in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its extensive adoption.

Weinert says that users should enable a more robust MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.

But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
​
This preference for app or security key alternatives for MFA shouldn't mean that users should disable SMS or voice-based MFA for their accounts without substituting another MFA approach. SMS MFA is still way better than no MFA at all.

If ever there was a decade that announced itself so defiantly in the first year, it’s the 2020s. With so much change and volatility already, 2020 has proven this decade will be dramatically different than the one before it. IT and business leaders must prepare for ten years, unlike any others. 

For IT and business leaders, success in the 2010s meant capitalizing on innovative commercial IT (think cloud and mobile). As the decade went on, many of those firms began leveraging the same commercial platforms, looking and feeling very similar to their customers. Forward-thinking organizations began examining how digital differentiation could give them a leg up and then – wham! – 2020 came in with a bang.

In only a few months, business models were flipped on their heads. The coronavirus pandemic, economic downturns, the rise of values-based consumers, and increasing climate issues forced most businesses to pivot to new, mostly digital, models quickly this year. 

In case it’s not clear by now: What worked in the 2010s will not work in the 2020s as we see business shift from global toward hyperlocal operations. So, what will work? 

For starters, every business role must incorporate systemic risk into long-term planning. For future-fit IT leaders, the risks aren’t limited to the data center or network outages. Today’s threats include rapidly changing consumer trends that require digital pivots, increasingly complex security concerns, the ethical use of AI, and the increasing impacts of climate change. 

Feeling overwhelmed? The good news is that several emerging technologies can help your organization identify and address these risks and create a competitive advantage through disruptive innovation. A few examples include: 

• Employee privacy software that leverages the downpour of employee data without infringing on employee trust 
• AI that is learning how to code enterprise software and changing firms’ organizational structures 
• Cloud-native technology that helps you innovate with software everywhere, especially at the edge 
• Software dedicated to analyzing climate risk to evaluate your individual organization’s risk 
• Robotic process automation that can scale back-office processes for increased resiliency 

Aligning your tech stack to address your organization’s highest risks and pursue the right innovations will be the differentiator for future-fit firms in the 2020s. One of my prime reference sources is Forrester Research. They practice what they preach. Here are some of the steps they are taking to move productively into the 2020’s:

• Leveraging new technology platforms and models to deliver our research and insights to clients more efficiently in formats that let you decide how you want to learn from us. For example, each of the links above will take you to a short-form story explaining an important technology trend in video and text. Each further provides direction on the most critical emerging technologies to invest in, along with a link to our research to learn more. 
• We are moving from an annual trends and technologies report cadence to twice a year in the spirit of more insight faster, with new trends and emerging tech updates published in between.    
• Lastly, to start planning your roadmap for the decade ahead, our upcoming event, Technology & Innovation Global, will dive deep into many of these trends in a keynote panel I will be hosting. We will also feature several breakout sessions from our top analysts. At that event, we’ll demonstrate our next generation of emerging technology and trends research tools, so please join us!   

There are a lot of encrypted USB flash drives out there. You plug them in, and either there's an on-screen popup that asks for your passcode, or some sort of physical keypad that is used to gain access.

But what about transferring the unlocking mechanism to a mobile device – such as a smartphone or your Apple Watch?

This is precisely what the iStorage datAshur BT hardware-encrypted USB flash drive does.

Visually, the iStorage datAshur BT looks like any other USB flash drive. It has a tough epoxy-like exterior that gives the drive a water- and dust-resistant rating of IP57 (protected against damage from dust ingress, and water resistant to 1 meter).

The datAshur BT comes in capacities from 16GB to 128GB.

Data on the datAshur BT is fully encrypted using AES-XTS 256-bit hardware encryption, which is FIPS 140-2 Level 3 compliant design and technology. Brute force is defended against by a built-in data wipe if there are too many wrong attempts made.

Everything is protected by a 7-15-character password or a biometric unlock such as Face ID/Facial recognition, Touch ID/Fingerprint, or IRIS scanning from a smartphone or tablet. The drive communicates using Bluetooth to any smartphone/tablet (iOS/Android) or Apple Watch. The Bluetooth channel is secured by a FIPS validated encryption layer and is only used for connection purposes. There is also support for 2FA using SMS.

The drive itself is completely host independent, so it will work with Windows, Mac, Linux, Chrome, and so on, VDIs such as Citrix and VMWare, and also with embedded systems such as medical devices, TVs, drones, printers, scanners, or pretty much anything with a USB port.
​
Prices for the iStorage datAshur BT range from $103 to $181, depending on the capacity.

Microsoft has disrupted a massive hacking operation that it said could have indirectly affected election infrastructure if allowed to continue. 

Last Monday, the company said it took down the servers behind Trickbot, a massive malware network that criminals were using to launch other cyberattacks, including a strain of highly potent ransomware. 

Microsoft said it obtained a federal court order to disable the IP addresses associated with Trickbot's servers and worked with telecom providers worldwide to stamp out the network. According to The Washington Post, the action coincides with an offensive by US Cyber Command to disrupt the cybercriminals, at least temporarily.

Microsoft acknowledged that the attackers are likely to adapt and seek to revive their operations eventually. Microsoft said the company's efforts reflect a "new legal approach" that may help authorities fight the network going forward.

Trickbot allowed hackers to sell what Microsoft said was a service to other hackers – offering them the capability to inject vulnerable computers, routers, and other devices with other malware. 

That includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or third-party software vendors that provide services to election officials.

"Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust," Microsoft VP of security Tom Burt wrote in a blog post.

Ransomware seizes control of target computers and freezes them until victims pay up – though experts urge those affected by ransomware not to encourage hackers by complying with their demands. The Treasury Department has warned that paying ransoms could violate US sanctions policy.

He added: "We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems."

A separate technical report by Microsoft said Trickbot had been used to spread the Ryuk ransomware. Security experts say Ryuk has been attacking 20 organizations per week.

But Trickbot has also been used to spread false and malicious emails containing malware that tried to lure victims in with messaging surrounding Black Lives Matter and Covid-19, Microsoft said.

Microsoft said Trickbot had infected more than 1 million computing devices globally since 2016 and that its operators have acted on behalf of both governments and criminal organizations, but their exact identity remains ambiguous.

Taking down Trickbot follows a series of attacks that became highly publicized in recent weeks: One targeting Tyler Technologies, a software vendor used by numerous local governments, and Universal Health Services, one of the nation's largest hospital companies. A statement on Tyler Technologies' website has said the company does not directly make election software. The software it produces that is used by election officials to display voting information is separate from its internal systems affected by the attack.
​
Ransomware could pose a risk to the election process if systems designed to support voting are brought down, according to Check Point threat analyst Lotem Finkelstein. Still, so far, experts regard it as "mainly a hypothetical threat right now."

Companies are tracking what you do online. You know this. But it can be a challenge to see the extent because the methods are hidden on purpose. At least 87% of the world’s most-popular Web domains engage in some form of digital tracking without you ever signing in, according to investigative journalism nonprofit the Markup.

To investigate the pervasiveness of online tracking, The Markup researchers spent 18 months building a one-of-a-kind free public tool that can be used to inspect websites for potential privacy violations in real time. Blacklight reveals the trackers loading on any site—including methods created to thwart privacy-protection tools or watch your every scroll and click.

In one study, scanning more than 80,000 of the most popular websites using the Blacklight software, found more than 5,000 were “fingerprinting” users, identifying them even if they block third-party cookies.

The study also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page – including scrolls and mouse movements. It’s called “session recording,” and the study found a higher prevalence of it than researchers had documented before.

74% of sites loaded Google tracking technology, and 33% loaded Facebook trackers. It’s staggering to see the reach of those two Silicon Valley giants – it’s easy to forget they track you even when you’re not using their websites or apps.

Try it out here. Just enter a URL, and you’ll see a real-time count of the ad trackers, third-party cookies, cookie evaders, and keystroke recorders on any given site.

What you find might surprise you. Pet food-maker Purina notched almost every possible kind of tracking Blacklight detects, which Purina can use to learn about the demographics and interests of people, their brand loyalty and even to understand how they use their website. It had 16 ad trackers, 34 third-party cookies, fingerprinting, and monitoring of keystrokes and mouse clicks.

Joe Biden’s website as of Thursday used fewer third-party cookies, 7, than President Trump’s website, 38, according to Blacklight.
​
Microsoft had 50 third-party cookies. Apple had zero – in fact, it uses no tracking tech at all, according to Blacklight.

Wireless engineers, automakers, and governments have spent years preparing for a future where autonomous cars will communicate with each other and sophisticated transportation networks – an initiative known as “cellular vehicle to everything,” commonly abbreviated C-V2X. Recently, the 5G Automotive Association (5GAA) offered a roadmap for mass deployments of automotive communications technologies, and its timeline includes several interesting dates that aren’t as far off as some people might have guessed.

Based on the current pace of cellular industry standards organization 3GPP’s 5G releases, global 5G deployments, and the state of the automotive communications supply chain, the 5GAA expects three C-V2X stages over the next decade:

1. From 2020 through 2023, automakers will rely on 4G LTE-V2X technology to enable basic safety features, such as left-turn assistance and emergency electronic brake light features, to improve traffic efficiency. They’ll augment primary local hazard and traffic information that’s already being shared over cellular networks.
2. Starting in 2024, the 5GAA predicts a “large-scale introduction” of 5G-enabled automated driving technologies that rely on communications between vehicles and infrastructure. For example, 5G-V2X will be used to park cars in parking garages automatically – a car-to-private infrastructure use case Bosch is already testing in German and U.S. locations – followed by “more complex environments and scenarios” including public roads. Tele-operated driving will also be possible.
3. In 2026, 5GAA expects all new autonomous vehicles will include 5G-V2X, kicking off an age where cars cooperate by sharing high-definition sensor data. Some of C-V2X’s most widely anticipated autonomous functionality, such as cars being able to share their upcoming intentions with each other and the network, as well as combining video and depth information for real-time cooperative perception, will be in pilot test stages at this point. Urban and highway pilot programs for dynamic intersection management and cooperative traffic flows could take until 2029.

5GAA expects that the 3GPP will continue to evolve the 5G standard from current Release 16 through 2023’s Release 18, enhancing industry support and specifications for 5G-V2X as carriers continue building out their 5G infrastructures. As nice as it would be if autonomous vehicles could just start relying on 5G today, the reality is that 5G infrastructure isn’t yet built out enough around the world. There are technological and legal practicalities to consider, as well.
​
Allocating wireless spectrum to vehicles will be critical to 5G-V2X deployments, the 5GAA notes, ideally harmonized internationally at 5.9GHz, as well as low band spectrum for use in rural driving, and mid-band spectrum in urban environments. The group expects basic safety to require 10 to 20MHz of spectrum for direct 4G communications, plus 40MHz or more for advanced 5G driving.

Microsoft, IBM, Hyperledger, and other technology and financial organizations have formed an alliance to develop global standards for tokenized ecosystems. 

Microsoft’s principal architect, Marley Gray, and Enterprise Ethereum Alliance’s former executive director, Ron Resnick, recently launched the InterWork Alliance (IWA), a nonprofit organization aimed at bringing global standards to the token-based ecosystem.

At launch, the IWA included more than 28 blockchain, technology, and financial organizations from around the world, including Microsoft, Chainlink, Hyperledger, IBM, Nasdaq, Accenture, and others.

The IWA indicated that startups presently working on tokenized ecosystems are mostly focusing on their individual solutions and marketing their platforms to other businesses.

Setting global standards, it said, will help focus this wide-scale innovation to make a collective impact on businesses. Resnick, IWA’s president, stated:

“For this approach to work, standards are urgently needed around defining what a token is and how its contractual behaviors will work.”

Common Frameworks. InterWork Alliance plans to work on three different frameworks of global standards for tokenized ecosystems. First, the Token Taxonomy Framework will provide a common language and toolset so that multiple parties can agree on the same terms that define a token and its use. 

The InterWork Framework will help businesses compose multiparty contracts from standard, globally recognized clauses set by the IWA. Lastly, the Analytics Framework will help companies to analyze multiparty deals and utilize artificial intelligence services and market-driven data reporting.

With these, the IWA will eventually work on interoperability between decentralized applications from different blockchain networks. 

Standardization for Wider Adoption. Organizations involved with the IWA are highly optimistic about how bringing global standards to the token ecosystem will further the adoption of distributed business models.

Gray noted that providing indstry participants with token standards for a variety of distributed technology use cases can help foster interoperability and drive widespread adoption. 

Brian Behlendorf, the executive director of Hyperledger (an IWA member), said:

“Standards play a critical role in the evolution and adoption of any emerging technology. Distributed applications and token-based services will require established frameworks that assure solutions interwork on the business level, regardless of underlying technology platforms.”
​
“The Alliance will help establish a foundation not only for technology and business but for the changing tokenization landscape as well. A platform-neutral alliance is critical for the entire industry,” said Nitin Gaur, the director of IBM WW Digital Asset Labs.

The average cost of a “mega” data breach has risen astronomically over the past year, and enterprise players impacted by such a security incident can expect to pay up almost $400 million.
Data breaches are a commonplace occurrence now, and cyberattacks launched against companies have spawned a new cyber insurance industry, the emergence of regulatory and class-action lawsuits against firms that fail to protect data, and new laws – such as the EU’s GDPR – that can be used to impose heavy penalties against data controllers with lax security. 
Yet, the data breaches keep rolling in, some of which lead to the theft of consumer records for sale on underground forums and an increased risk of identities being stolen. 
To tackle the aftermath of a data breach, organizations may need to spend funds on repairing systems and upgrading architectures, they may need to invest in new cybersecurity services and cyber forensics, and they may also face lawsuits or regulatory penalties – and the cost continues to increase year-on-year when customer personal information is involved. 
Last week, IBM released its annual Cost of a Data Breach Report, which says that the average data breach now costs $3.86 million. While this average has decreased by 1.5% in comparison to 2019, when over 50 million consumer records are involved, these “mega” breaches can cost up to $392 million to remedy, up from $388 million in 2019.
If an organization is acting as a data controller for between 40 and 50 million records, the cost, on average, is $364 million, and organizations could face a charge of up to $175 per consumer record involved in data theft or leaks.
The study, conducted by the Ponemon Institute, includes interviews with over 3,200 security professionals working at companies that have experienced a data breach in the past year. 
Compromised employee and insider accounts, as highlighted by the recent Twitter hack, are one of the most expensive factors in data breaches today, bringing the average cost of a data breach up to $4.77 million. When insider accounts were involved, 80% of incidents resulted in the exposure of customer records. 
In total, stolen or compromised account credentials – alongside cloud misconfigurations – account for close to 40% of security incidents. 
IBM says that in one out of five breaches, compromised account credentials have been used as an entryway for attackers, leading to the exposure of over 8.5 billion records in 2019 alone. Cloud misconfigurations account for close to 20% of network breaches. 
The exploit of third-party vulnerabilities, such as zero-day or unpatched security flaws in enterprise software, is also a costly factor in data breaches. An enterprise company that suffers a data breach due to such vulnerabilities can expect to pay up to $4.5 million. 
State-sponsored attacks, including those conducted by advanced persistent threat (APT) groups, are far less common and only represent 13% of overall data breaches reported by enterprise companies. However, when these threat actors are involved, the damage they cause often results in higher recovery costs, represented by an average of $4.43 million. 
If cyber insurance has been taken out by organizations, this can reduce the damage bill on average by $200,000, with the majority of insurance payouts used for legal services and consultancy fees. 
Within the report, IBM cites AI, machine learning, and automation as valuable tools for responding to data breaches that may cut down incident response times by up to 27%.
“At a time when businesses are expanding their digital footprint at an accelerated pace, and the security industry’s talent shortage persists, teams are overwhelmed, securing more devices, systems, and data,” commented Wendi Whitmore, VP of IBM X-Force Threat Intelligence. “When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies.”

The US Federal Bureau of Investigation has sent an alert last week warning US companies about backdoor malware that is silently being installed on the networks of foreign companies operating in China via government-mandated tax software.

The backdoors allow threat actors to execute unauthorized code, infiltrate networks, and steal proprietary data from branches operating in China.

Making matters worse, the FBI says that all foreign companies are required by local Chinese laws to install this particular piece of software to handle value-added tax (VAT) payments to the Chinese tax authority.
FBI officials said the backdoor malware was spotted in the VAT software of two Chinese tech companies – namely Baiwang and Aisino.

Unfortunately, these are the only government-authorized tax software service providers allowed to operate VAT software in China, officials said, suggesting that any foreign company operating in China was most likely affected by this issue.

The FBI alert also listed two separate incidents where the infected companies have discovered the malware's presence on their networks.

GoldenHelper. "In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com. Since March 2019, Baiwang released software updates that installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company's network," the FBI said – describing what later security firm Trustwave identified as the GoldenHelper malware.

GoldenSpy. "In June 2020, a private cybersecurity firm reported that Intelligence Tax, a tax software application from Aisino Corporation that is required by a Chinese bank under the same VAT system, likely contained malware that installed a hidden backdoor to the networks of organizations using the tax software," the FBI also said – describing what Trustwave identified as the GoldenSpy backdoor, believed to be a second and improved iteration of the original GoldenHelper malware.

The FBI warns US companies that the backdoor malware installed on their systems has dangerous capabilities that may allow "cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim's network."

FBI officials said they believed US companies in the healthcare, chemical, and finance sectors operating in China are in particular danger, based on China's historical interest in these sectors.

Currently, the FBI Flash Alert AC-000129-TT is being distributed to companies in the previous sectors so they can investigate further.
​
Indicators of compromises, such as malware file hashes and network communication URLs that may help companies identify the presence of any of the two backdoor versions, are available in Trustwave's GoldenHelper and GoldenSpy reports.

While the FBI alert didn't point the finger at the Chinese government directly, the warning said that both Baiwang and Aisino operate their VAT software under the management and oversight of NISEC (National Information Security Engineering Center), a state-owned private enterprise, with "foundational links" to China's People Liberation Army, suggesting a well-orchestrated nation-state intelligence-gathering operation.

One of my favorite training assets is ScreenCastsOnline from Mac pioneer Don McAllister. Each week they produce a full tutorial and a shorter tip video on Mac software and services.

This week, the main tutorial was on a free online service called xkpasswd. This open-source service will produce incredibly secure passwords. There are five settings that you can customize, and based on these settings, the site will generate several passwords from which you may pick one that you like.

The five settings include:
         • Words: set the max number of letters and the number of words
         • Transformations: use the lower and upper case letters on words
         • Separator: a randomly chosen character to separate words
         • Padding Digits: any number of digits before and after the words
         • Padding Symbols: any number of symbols added to the front and back of the password.

After generating several passwords, the site will evaluate the level of safeness of the results. When the strength of the password is good or better, the numbers are shown in green. Less secure results display in red. This immediate assessment gives you the data you need to know that the password you select will be safe and extremely difficult to hack.

The site also has generated several configurations of the above five settings for specific uses. One configuration is designed for Apple ID passwords specifically. The values set are designed to respect the prerequisites that Apple places on Apple ID passwords. But, it also limits the symbols found on the iOS letter and number keyboards, so entering the password is easier.

One other configuration is called SECURITYQ and is designed to create answers to those pesky security questions such as the first name of the maid of honor at your wedding or your mother’s maiden name. Answering these questions with something other than the truth is really important since today’s hackers are getting very good at researching information about their prey. This configuration will help generate good answers to these questions without any relationship to reality.

The site is free, but they do note that the server that is running the application is not free, and they welcome donations.
​
Remember that all of these passwords need to be kept secure with good password management software such as 1Password, LastPass, and Dashlane.