Zoom: Security Problem or Social Lifeline?

One thing I’ve learned from a career in the information security industry is that any big global event has security implications — elections, hurricanes, earthquakes, matters of war and peace, you name it.

The dots that connect infosec to COVID-19 were apparent from the beginning. I saw the virus becoming the main preoccupation among attendees at the RSA Conference — the last in-person event I attended before all hell broke loose.

Since then, it’s been the main concern among clients my company serves. (It bears repeating that I’m grateful to be doing work that matters during this crisis.)

As we all hunker down and work from home, videoconferencing has become a front-and-center security challenge. Malicious hackers have set their sights on these platforms to cause disruption and steal our personal data.

Amid this, Zoom has become the poster child for the technology’s security holes. Zoom CEO Eric Yuan has addressed the problems — vulnerabilities that enable such things as “Zoombombing,” when intruders hijack video calls and post hate speech and pornography.

“‘If we mess up again, it’s done,’ I thought a lot last night,” he told The Wall Street Journal.

There has been a rising chorus of security professionals warning people not to use Zoom, especially for business meetings. There are many other, more secure options for videoconferencing, they say. There’s some validity in that. I’ve also seen reports of similar security holes in other video platforms. That’s a vulnerability management issue corporate security teams must stay on top of.

But for the larger population, I don’t see Zoom going away, nor should it. Yuan is right — his company needs to get a handle on this. But there will never be 100 percent security. There never is with anything.

I also don’t believe the security challenges should diminish our gratitude for what has become a critical lifeline during the pandemic.

Personally, Zoom has allowed me to stay connected to friends, family and industry peers. Without it, I can’t say for certain that I’d be managing my emotions as well as I have. I’ve even made new connections that I’ll be learning from long after this crisis passes.

I suspect many of you could say the same.

My takeaway: Keep using Zoom. Just be mindful of the security risks and take the necessary precautions. Some people I collaborate with in my day job have offered some useful advice.

It’s also worth noting that some of the smartest security minds on Earth continue to use Zoom for things like virtual happy hours. If they still feel safe using it, so do I.

I’ll end with some perspective from my friend Dave Kennedy, founder of Binary Defense and TrustedSec, along with Amit Serper, VP of security strategy and principal security researcher at Cybereason, and Russ Handorf, Ph.D., principal threat intelligence hacker at White Ops.

Together they have written about concrete security steps all users can take. I recommend you read it all. As they note in the article:

The Internet, and especially infosec twitter is full of hot takes and attempts to generate sensational headlines and alarmist news items. It’s important to remember that “not all that glitters is gold”. Vulnerabilities exist in many programs and no piece of code is immune to such issues. Not every vulnerability or exposure is critical and creates an unmitigated or dangerous risk. Knowing what your threat is and applying careful thought to threat modeling is a crucial part of understanding the problem and determining its true effects.

Day 23: How I Try to Stay Sane

It has now been three solid weeks since I’ve been in my office. I miss:

  • Leaving the house every day to go somewhere before dawn
  • Walking Boston’s North End, wharves, markets and common
  • Having face-to-face interaction with colleagues

But I’m fighting the good fight. Here are some things getting me through the doldrums.

Mood Music (in memory of Adam Schlesinger, dead of COVID-19):

  • Keeping my health program going, maintaining weight loss and taking daily walks around the neighborhood and wooded hills behind our house.
  • Drinking lots of coffee to stay alert (the house is well stocked with my beloved Death Wish blend).
  • Reading print and audio books. In a possibly ill-advised move, I spent a free Audible credit on John Barry’s The Great Influenza. I’m trying to learn ways forward by studying our history.
  • Taking naps, which has become an important tool for breaking up the days, which can get intense between work and the claustrophobic feelings that come with distancing.
  • Keeping in touch with friends via video hangouts, including last weekend’s session with these nutjobs:
  • Being with my family. Though we frequently drive each other crazy, I’m grateful to be together with Erin and the kids and am amazed at how the boys have been able to keep up with their classwork by video.
  • Streaming services like Netflix, Amazon Prime and BritBox have been a godsend. We’re watching a lot of Star Trek, Battlestar Gallactica, Call the Midwife and Midsommer Murders.
  • Sleeping more. Though I continue to be an early riser, I’m taking advantage of the lack of commute to sleep an extra hour each night.

What are you doing to stave off the crazies?

3 Thoughts for 30 Days

The past three weeks have been surreal, like existing inside Salvadore Dali’s “The Persistence of Memory” painting. If the U.S. government’s plan holds, we’ll live in this world for another 30 days at least.

How do we get through it?

I have three thoughts on that.

Mood Music:

1. Leave Predictions to the Experts

Peruse Facebook and you’ll see a lot of people clutching straws, slicing and dicing numbers for signs that the COVID-19 death rate will be low, and sharing charts that predict when cases will peak and drop. I’ve done it, too. It’s not helpful.

All we can control is the present. All we can do is be there for family and friends, get some exercise and do our work (if we can). To do that, we have to…

2. Accept Reality and Adapt

The government estimates that 100,000–240,000 people will die. The lower number happens only if we do everything perfectly, but either way there will be many deaths. We don’t know who will die. We don’t know how long we’ll shelter in place. If we fixate on how unreal all this seems, our despair will build.

My approach is admittedly fatalistic on the surface: I’m just assuming we’ll be in this fight for a long time. I take nothing for granted — my job, my health, my ability to avoid episodes of depression. Losing ground in these areas is all within the realm of possibility.

That sounds bleak, but there is a positive: By accepting that things are and will remain bad for some time and that anything can happen, I can adapt and focus on what’s in front of me — and what’s in front of me is pretty good.

In the face of the current crisis, we are already seeing humanity’s ability to adapt: we’re keeping business and learning running remotely, repurposing plant operations to churn out medical gear and moving from lost hospitality jobs to those that are in demand — grocery stores and medical facilities, for example.

To adapt is to survive and thrive.

3. Learn from History

This is the craziest thing many of us have experienced in our lifetimes, and the memes telling us that we have it easy — that all we have to do is sit on the couch and watch TV — ring hollow. We have to keep our families, jobs and finances going, after all. But there are shreds of truth in those memes, particularly on two points:

  • Our parents and grandparents lived through The Great Depression and WWII. They emerged stronger.
  • People survived the Spanish Flu a hundred years ago, at a time when there were no antibiotics, no 24-hour news to keep us informed and none of the comforts we take for granted today.

History gives us perspective. In fact, we’re already drawing on what our elders did to get through the present.

As we stock our pantries with enough food to last a few months, it’s hard not to think about our grandparents and how they struggled to keep well stocked.

It’s hard to look around us and not think of black-and-white images from the Spanish Flu — people in masks, keeping their distance.

This will only get harder as the weeks pass. We’re going to hear a lot of bad news along the way.

What we do now can make us stronger and heal some older societal wounds. Call me a naive optimist, but I believe it because I’m a history buff who has studied the past.

I’ll end with this wisdom from CNBC’s Ron Insana:

It seems extremely important to remember that there are things that are truly unprecedented and new and those that are, however tragically, new to us.

Yes, of course, there are elements of this tragedy, now playing out, that are truly unprecedented. The speed of the economic shutdown, the emptiness of major cities and a few other realities with which we must come to terms.

Other aspects are just new to us. The 1918 flu required “social distancing”…. 

For our parents, or grandparents, World War II, by itself, raged on for four long years.

We haven’t yet sat still for four weeks.

We’re being asked to sit on a couch and watch TV. Come on America. We got this.

5 Positive COVID-19 Developments

Today, five news items to boost hope out there.

The Coronavirus Is Mutating Relatively Slowly

Some viruses, like flu, change quickly, making them harder to prevent through vaccines. So far, though, the coronavirus seems to be picking up only about two mutations each month. Flu makes changes about two or three times faster. This bodes well for efforts to make a vaccine that will be effective.

NPR

Coronavirus Slowdown in Seattle Suggests Restrictions Are Working

The coronavirus first appeared in the United States in the Seattle area and claimed 37 of its first 50 victims. But Seattle’s strict containment strategies, which put in place almost immediately, are having an effect. “Hospitals have so far not been overwhelmed. And preliminary statistical models provided to public officials in Washington State suggest that the spread of the virus has slowed in the Seattle area in recent days,” the New York Times reported.

NYT

Some Insurers Waive Patients’ Share Of Costs For COVID-19 Treatment

According to NPR, “insurers Cigna and Humana announced Monday that they would waive consumer costs associated with COVID-19 treatment. Last week, CVS Health announced a more limited change — that Aetna would waive costs to patients for hospital admissions related to the coronavirus.”

NPR

In Under a Week, Formula One Created a Breathing Aid That Can Help Keep Coronavirus Patients Out of ICU

University College London and Mercedes F1 have made a breathing aid for coronavirus patients that sends oxygen to the lungs, reducing the need for a ventilator. It was created in less than a week, and 40 of them have already been delivered to several London hospitals. Other companies, including Rolls-Royce, BAE systems and Ford, have pledged to produce ventilators for the UK’s NHS.

BBC

Wuhan Partly Reopens After Lockdown

“The city in China where the coronavirus pandemic began, Wuhan, has partially re-opened after more than two months of isolation,” said the BBC.

“Crowds of passengers were pictured arriving at Wuhan train station on Saturday.

“People are being allowed to enter but not leave, according to reports.

“Wuhan, the capital of Hubei province, saw more than 50,000 coronavirus cases. At least 3,000 people in Hubei died from the disease.

“But numbers have fallen dramatically, according to China’s figures.”

I’ll post more stories like these as I find them.

BBC

A Useful Bout of Depression

This weekend the depression finally arrived. Given the scale of the crisis we’re all traveling through, I’m surprised it took this long. But it may have been exactly what I needed.

Mood Music:

Depression is often thought of as varying levels of sadness and feelings of emptiness. Those are certainly real and I’ve experienced it all. But what I went through this weekend wasn’t in that range. This was the tired variety of depression.

I’ve described this before as “happy depression” — your sense of purpose is intact and you remain fully aware of the good things around you. But you’re exhausted from the fight and a cloud descends over the mind.

In a weird way, I’ve come to see this type of depression as a defense mechanism, forcing me into low-power mode to recharge for the longer fight ahead.

That defense mechanism kicked in yesterday. I dozed a lot and watched a lot of TV. I allowed myself a few extra calories but remained within my Noom calorie budget. Overnight I slept harder than usual.

Now it’s Monday and I’m expecting another intense work week. The sky is overcast, which always dampens my spirits. Using the 5-stage depression scale I devised a few years ago by ripping off the 5 Stages of Grief, I figure I’m at 5 (acceptance), though I don’t know if I really experienced 1–4. It’s possible I have and it was mild enough in intensity that I didn’t notice.

I’m grateful that this is only a happy depression and not the crippling, empty variety of depression. I’m going to use my tools and try hard to keep it that way.

One impossible day at a time.

When the Best OCD Management Tools Fail (and What to Do About It)

Admission: Despite all the training and tools I’ve accumulated to manage clinical OCD over the years, the demons still run over me in spectacular ways on occasion. Yesterday was one of those days.

Mood Music:

Things I’ve learned about OCD management:

  • Practice mindfulness through meditation
  • Push back thought distortions — the kind associated with something like impostor syndrome.
  • Take walks
  • Prayer (as part of that first one)

Sometimes, though, my passions run so hot that I flat-out forget to pick up those tools.

In recent weeks, my work has involved producing a lot of written guidance for businesses trying to maintain security as workforces go remote. I’ve taken the task close to heart because it’s one small way I can do my part to get society through this, aside from the physical distancing. Also: It’s my job.

But when my OCD runs hot, my patience grows threadbare. I want to get content out quickly. It’s the old newsman in me. Which can be at odds with another truth: When dealing with technological guidance, the more painfully rigorous the process, the better.

Yesterday, I realized that my obsessive-compulsive nature was trying to circumvent that process, and I suspect it made life difficult for a couple of my colleagues. To them, I apologize.

The good news: I caught myself, with gentle pushback from a couple people. Now I’m going to step back a little today and pick those tools back up.

This isn’t meant as a public self-flaying exercise. It’s a message for everyone working through these times with OCD, anxiety, depression and other mental disorders:

  • You’re not alone.
  • You’re not stupid or weak.
  • Health management of any kind is a titanic task in times like these.
  • Yes, past generations have weathered trying times (The Great Depression and WWII come to mind), but individuals who did great things along the way still failed from time to time.
  • Beating ourselves up — something I excel at — is worse than useless.

When we have bad moments, let’s take a breath, step back, dust off and get back to work.

That’s what I’m going to do.

But first, a nap. That’s a good OCD management tool, too.

COVID-19 Gratitude 3: Seeing My InfoSec Friends Fight the Bad Guys

The pandemic has kept me and a lot of friends in the information security industry busy, as attackers try to cash in on the hysteria over COVID-19. Watching friends in the industry come together to do their part has been a powerful shot in the arm for me.

We are truly in this together.

Mood Music:

A couple quick examples.

The COVID-19 CTI League, for cyber threat intelligence. This group spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft and Amazon:

One of four initial managers of the effort, Marc Rogers, said the top priority would be working to combat hacks against medical facilities and other frontline responders to the pandemic. It is already working on hacks of health organizations.

Also key is the defense of communication networks and services that have become essential as more people work from home, said Rogers, head of security at the long-running hacking conference Def Con and a vice president at security company Okta Inc.

—Joseph Menn, writing for Reuters

Cyber Volunteers 19 (CV19). This group formed specifically to target threats to healthcare facilities:

Cybercriminals are doing all they can to exploit the fear and confusion that the COVID-19 pandemic has brought with it. This exploitation does not stop at the hospital, medical facility, or healthcare service entrance. Staying on top of their cybersecurity game might not be the highest priority within those organizations right now, but it is nonetheless vital. It only takes one successful ransomware attack to have a life and death impact on patient care potentially….

One newly formed group of information security professionals, including company CISOs, penetration testers, security researchers, and more, have vowed to do all they can to help provide cybersecurity support to healthcare services across the U.K. and Europe.

—Davey Winder, writing for Forbes

These efforts are additional examples of how the current crisis has brought out the best in humanity.

When my spirits dim and waves of anxiety wash over me in these difficult days, seeing things like this give me the strength to keep showing up.

Rock on, friends.

Those Walls Closing In? You’re Not Crazy

For all my writing about being positive, throwing myself into work and taking care of myself, I’d be lying if I told you I had it together all day, every day. Being stuck inside — even when breaking it up with walks and hikes — is taking a toll. And we’re only a couple weeks into this.

Mood Music:

The last three days I’ve experienced frequent waves of crankiness. I get more impatient with my family, scowl whenever blue skies give way to overcast ones and feel like my skeleton is trying to rip itself out from beneath skin that doesn’t seem to fit quite right.

The waves pass and then I’m fine, but it makes me wonder what I’ll be like after another two, three or five weeks of this.

I’m not depressed. Depression is unmistakable to me, removing most of my motivation and filling my skull with fog that leaves me unable to connect the dots. Instead I remain focused and driven. That’s despite being on a much lower dosage of antidepressants than I’ve had in years.

No, in a world that’s now anything but normal, I think what I’m feeling is … normal.

I mention this because some of you may also feel the walls closing in. Surely some of you are feeling grim. All the Facebook memes about how our grandparents suffered worse in the Great Depression and WWII won’t change what we feel.

And that’s OK. When the unease overtakes you, allow it. Then keep showing up — for family and friends, for work, for community.

Even if much of that has to be on a video screen or chat window for now.

COVID-19 Gratitude 2: Getting My Health Back

There are many things I’m grateful for amid this pandemic. My health is one of them. A year ago, I would have been at much higher risk of catching COVID-19.

Mood Music:

I’m certainly not bulletproof. No one is, based on the limited science we have on COVID-19 at the moment. But mentally and physically, I have much more fight in me.

This time last year, I was hovering around 290 pounds. I was on blood pressure medication, the CPAP was struggling to punch through airways under pressure from a fatty throat and I was getting migraines constantly. Weight-control measures that had worked in the past didn’t cut it anymore, especially the food plan and 12-step program I was following via Overeaters Anonymous (OA), which I wrote a lot about earlier in the history of this blog.

My experience is not a condemnation of OA or anything else that works for others. Many people need a 12-step program when addictive behavior is the root of their pain. It simply didn’t work for me. OA felt too much like a cult. I don’t like answering to people on a good day (except my wife), so calling a sponsor every day to report on everything I’d be eating didn’t work. I abandoned the program but kept the food plan and didn’t replace it with something better suited to my needs.

My health slid down and my weight shot up. It took me seven years to find something that worked better. My body paid a price in the meantime, as did everyone around me.

I had less energy, less patience, and a lot less clarity of mind. I fell into more frequent bouts of deep depression.

By May 2019, I hit bottom. My wife had found success using the Noom app and tracking her daily steps with a Fitbit, so I decided to give those things a try.

The combination has worked out because it’s allowed me to use data to manage my behavior. The numbers on the Fitbit tell me when I’m not moving around enough and compels me to get up and take walks. Noom allows me to track my calorie intake throughout the day to stay in check and has helped me make better food choices though its green-yellow-red classification system.

Using that simple combination, I’m down to 213 pounds — my lowest weight in more than a decade. I can’t remember the last time I suffered a migraine. I fit in airplane seats comfortably again (not that it matters at the moment), and I’m not getting winded every time I walk a few steps uphill. I’m at the point where I can maintain my weight and be in fighting form. I’m going to 210 just for the hell of it.

I had to turn things around under normal circumstances. That I have maintained it amid this unprecedented global crisis makes me feel grateful and lucky.

Life is always hard. Better to have more strength for the fight.

That may be obvious, but it’s not always easy to follow. Times like these show us that we must try harder.

COVID-19 Gratitude 1: Work That Matters

I’ve always been driven by my work — as a journalist, as someone responsible for completing the business my father left behind five years ago and especially in the role I play in the cybersecurity industry.

Work is certainly keeping me going during this pandemic. Amid physical distancing, there’s extra time to reflect on the last couple years.

I’ll talk more about the family business another time. For now, some words about my main job.

Mood Music:

I’m fortunate to work in information security. I get to do my part, however small, in fulfilling several of society’s fundamental needs: keeping businesses running, keeping society safe from bad guys who would do us harm through our web-based tools and keeping people healthy.

In the past month, my company has released a lot of research on business continuity, protecting vital tech infrastructure from attackers looking to exploit our preoccupation with the pandemic. It’s also released research on helping medical institutions keep cyber threats at bay as they try to treat a growing influx of patients. Our content is usually for paying clients, but we’ve made all COVID-19 research publicly available.

The crisis adds fresh clarity to why I took this particular job two years ago.

I’ve always thrived on challenge, going for roles outside my comfort zone in a desire to push my personal evolution to the limit. I had a successful job as an infosec journalist but wanted experience actually doing the things I wrote about. That led me to Akamai Technologies, where I helped with incident response, in-house security training and development of a security research machine. I wanted to immerse myself in content marketing for a security vendor, so I went to Sophos, working with lab researchers to put their findings into writing. My current role at IANS returned me to familiar territory: I’m in an editorial director role, this time with security professionals who are members of our faculty.

This current role is probably the hardest, most rewarding I’ve ever had. I work directly with the company CEO — a career first — oversee development of a curriculum and work a lot more closely with clients than past roles allowed.

My mental wiring isn’t a natural fit for this work. But I’ve learned a ton and have certainly pushed my evolution to new heights. Through it all, I’ve been fortunate to be able to help people manage complex problems. I’m immensely grateful for that. Whatever this pandemic brings in the weeks ahead, I’m all in.

The more uncertain life gets, the harder I work. The more I see opportunities to help to society, the more I will double down.

I see enough people determined to do their part, whether they work in tech or as food-delivery drivers, medics or bankers, to know that society will get through this. We may even emerge on the other side better than we were. (I always try to be optimistic. I see no reason to stop now.)

No doubt there are many who aren’t as lucky and can’t lean on their work right now. My heart aches for everyone who lost their jobs at hotels, movie houses, restaurants, airlines, hair salons and other businesses forced to shut down as people shelter in place.

The fact that my industry isn’t so drastically affected (so far) means I’m simply going to work even harder. I simply must.

Thanks to those who make it possible for me to keep working, and thanks to those who continue to teach me new things along the way.