Climbing Mountains

I hear a noise and open my eyes; my father is telling me it’s time to get up. It’s five in the morning. I crawl out of bed, throw on some clothes, and head to the kitchen for café and pan dulce. I’m in Mexico the summer after my freshman year of high school visiting my dad’s side of the family.

My grandparents live in a tiny mountain town called Bonhe in the State of Hidalgo, about two hours north of Mexico City, and a twenty-four-hour drive from the US border. In Bonhe, like many other parts of Mexico, most of the roads, buildings, and property-line walls are made of rocks, cement, and cinder blocks. In Bonhe, most people live a rural lifestyle. They drive down the mountain into town for food, clothes, and other basic necessities.

For income, my family own fields and farms a small number of animals. Today we will be hiking over two hours through the mountains to get to my grandfather’s fields. I finish my pastry and sip the last of my coffee, then head out the front door to collect everything we need for our journey. We grab two horses, load them up, and head out. We begin our trek on the unpaved, dirt path that connects my family’s property down to the actual road.

The main road is not any more comfortable though. Cobblestones of various shapes and sizes dig into our feet. Regardless, we make our way about a mile up and then break off into the mountain. Unlike the hikes I take back home in Arizona, there is no cleared path here. We are forced to maneuver through the bushes, cacti, and large rocks, cutting vegetation with machetes, slowly making progress toward our destination. I pause often to scrape the layers of mud off the bottom of my shoes.

The conditions I complained about as a kid in the United States are luxuries my father and his eight siblings never had growing up.

We arrive at the fields already tired, but the work has not even begun. We take a small break to drink water, then set up the plow and harness it to the horses. My job today is comparatively easy. I walk behind the plow-lead and drop seeds into the opened-up portion of the dirt. Behind me, my brother covers the newly laid seeds with little handmade metal “scoopers”. For the rest of the day, we go back and forth trading these duties. Although we have the easiest jobs, we are exhausted, working under the beating sun, thousands of feet in elevation.

This is a typical day for people in Bonhe. The conditions I complained about as a kid in the United States are luxuries my father and his eight siblings never had growing up. They had no electricity, no plumbing, and not even a nearby school.

So, at eighteen-years-old my father makes the biggest, scariest decision of his life––the decision that would create my life and affect many others. He comes to America. Twenty-five years later my family has made a lot of progress. My parents came from nothing. Now they are managers. My brother and I have graduated from high school (something our parents missed out on while working tirelessly to support us) and have moved on to higher education.

I believe we all have someone in our family line who has made personal sacrifices so that we can succeed.

I believe we all have someone in our family line who has made personal sacrifices so that we can succeed––whether it’s our parents, grandparents, or even further back. Someone who had no money and no idea how they were going to do it but believed in the American Dream. Someone who started from the bottom, saved money, and built a career or business. Someone who raised their kids with both the luxuries of America and the values of their homeland. Someone who did everything they could to make sure the younger generations had a better life than they had.

The question, then, becomes: What do we do with the opportunities that have been given to us? I believe the answer is simple: We strive to provide the next generation even better opportunities. While this answer may be simple, in practice it is not easy. We will have challenges, bad days, and hard times. To persevere requires three things: reflection, planning, and action.

To persevere requires three things: reflection, planning, and action.

When I reflect, I think about everything my parents did to provide me opportunity. Reflecting on the progress I have made using their support brings me a level of gratitude and humility I can’t find elsewhere. Next, I take time to plan for the future of the family I do not yet have. I take time to consider how to advance my career path, which skills I need to develop, and which topics I want to learn more about in order to achieve the goals I have set. Finally, I put my plan into action. I read books, I network in the arena I hope to transition into, and I make specific, intentional moves in my career that help me develop positive habits and character traits.

Remember, the American Dream is alive and better than ever. There is a Spanish saying that translates to: “The difference between the possible and the impossible lies in the determination of a person.” Let’s take inspiration from those who came before us. Let’s go out there and achieve our goals.

About the Author

Mario R Chavez

Cyber Security Agent (CSA)

Mario joined Symantec in January 2018 as part of the Member Services department. Inspired by his parents’ journeys, he is dedicated to implementing positive change. Mario is the leader of the HOLA ERG chapter in Tempe, Arizona.

Zoom Vulnerability

Zoom Vulnerability

The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer’s camera.

It’s a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

Zoom didn’t take the vulnerability seriously:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested.

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.


How Do You Protect Users from Themselves?

As they seek to distribute ransomware and other malware, or to gain access to sensitive information and systems, cyber criminals have long been able to count on a huge community of allies: unwitting users. Despite the well-known risks associated with weaponized emails, some percentage of users will inevitably click on unfamiliar URLs in email messages or open email attachments that they shouldn’t.

Moreover, these users often click on suspicious links hidden within attachments, which look harmless, but open up phishing pages or websites hosting malware. Attackers use these complex threats to bypass detection, since many traditional email security solutions fail to stop them.

To counter these user-enabled email threats, Symantec developed our Email Threat Isolation (ETI) technology. Initially designed to protect users who inadvertently clicked on malicious links, we’re excited to announce that our ETI solution can now protect users from potentially malware-laden email attachments. This expanded protection is proving critical because attackers have started to favor email attachments as an infection vehicle, and while Symantec already blocks malicious attachments, there can be malicious content or links within attachments that evade detection.

This shift isn’t surprising, given that dangerous attachments can be relatively hard to identify. Rather than distributing easy-to-spot executables, attackers can hide scripts and other malware within innocuous files. To this end, attackers are increasingly inserting malware within Microsoft Office files, with the malware activated when users enable macros or open PDFs.

In fact, Microsoft Office files accounted for nearly half (48%) of all malicious email attachments in 2018, up from just 5% of all such attachments in 2017. No surprise then that our telemetry shows Microsoft Office users are the most at risk of falling victim to email-based malware.

To protect users and their organizations from risky email attachments, our ETI technology renders these attachments in web sessions, which are executed in a secure and disposable container. This is essentially the same approach that we use when dealing with embedded URLs – by virtualizing browsers in a container where we can safely execute links or attachments. This isolation approach allows us to identify and block any dangerous content, passing along only safely rendered content to users.

In addition, ETI technology isolates all suspicious links hidden in email attachments, since these documents are executed in a secure web container that contains all malicious activity. As a result, embedded links that lead to phishing sites or webpages hosting malware cannot trick users into handing over their credentials or accidentally downloading ransomware.

Broad deployment of our ETI technology could all but eliminate the risks associated with malicious links and attachments.

At the same time, ETI technology doesn’t impact users, as opening up attachments and clicking on links within this environment is performed seamlessly. All of this is done without blocking the entire email or making any modifications to the original attachment. Thus, Symantec is the first and only vendor in the email security industry to prevent suspicious links within email attachments without compromising the user experience.

Broad deployment of our ETI technology could all but eliminate the risks associated with malicious links and attachments. That would have a huge impact across the cyber security landscape because of cyber criminals’ heavy reliance on email to distribute malicious payloads of all types.

This is certainly true for ransomware attacks. According to the Symantec’s 2019  Internet Security Threat Report, email campaigns that used spear phishing and other methods to ensnare victims became the primary method of distributing ransomware last year.

Identifying and countering these ransomware attacks has become particularly important for enterprises. While overall ransomware infections were down 20% in 2018 compared to 2017, enterprise infections were up by 12% and accounted for 81% of all ransomware infections last year.

When examining the success of email-based exploits – ransomware or other – it isn’t fair to simply blame unthinking and careless users. Cyber criminals now use sophisticated social engineering techniques and other methods that can sometimes fool even cautious recipients into believing that malicious emails are safe and legitimate.

That’s why it’s so important to go beyond simply educating users about safe email practices. It’s also necessary to implement defenses against the inevitable slips. To that end, we’ve made it simple for organizations to deploy our ETI technology, offering it as either an add-on to the Symantec Email Security solution or as a standalone service, to add a critical layer of protection to third-party email security solutions.

However it’s deployed, our enhanced ETI offering now serves as a critical component of the comprehensive Symantec Integrated Cyber Defense platform. It complements our Web Isolation technology, our Mirror Gateway, and our full portfolio of industry-leading cyber defense products and services.

About the Author

Nirav Shah

Manager, Product Marketing

Nirav Shah is on the Email Security product marketing team at Symantec, which includes cloud and on-premises offerings. Nirav has 10+ years of experience in the technology industry. He holds a BSc in Computer Science, Georgia Tech and MBA, Carnegie Mellon.